For companies in the healthcare industry, ensuring that email communication being used within the organization is HIPAA compliant is absolutely essential to protect patient healthcare information. Not to mention, it is required by law for all healthcare organizations to do so – which includes healthcare insurance companies. But, just what is HIPAA and how can you make your email HIPAA compliant? These are the very questions that this post will address.
In addition, this post will also provide instructions and show you the steps to making your email HIPAA compliant.
So, let’s dive in.
HIPAA, or The Health Insurance Portability and Accountability Act of 1996, is a federal US healthcare law that establishes national standards and requirements to protect sensitive patient personal health information from being disclosed to anyone without their knowledge or consent.
These requirements set standards for the use and disclosure of sensitive patient health information, but also for the strict safeguarding of personally identifiable information by companies in the healthcare and health insurance industries.
The HIPAA Privacy Rule and HIPAA Security Rule requires for covered entities, such as medical practices, to obtain written assurances that their business and/or associates will safeguard electronic Protected Health Information (PHI) appropriately. If a medical practice, hospital or other healthcare related business does not comply with the rules, the result may transpire in civil and/or criminal penalties.
HIPAA compliant email is email that adheres to The HIPAA Privacy Rule and HIPAA Security Rule requirements by using end-to-end encryption in order to properly protect personal health information, or PHI, that is transmitted electronically.
1 – To ensure that your email is HIPAA compliant, you will need to use an email service that offers and meets the security requirements outlined by HIPAA standards. The option we recommend is a Business Premium email account subscription for your email plan through Microsoft 365 from GoDaddy. This allows for the purchase and use of HIPAA compliant email as an add-on. A benefit to this option is that if you have multiple employees and staff email accounts on the same Business Premium plan, there isn’t a need for those email accounts to have separate Business Premium subscriptions for their email to be HIPAA compliant.
2 – After your email account has been activated, you will next need to set up your HIPAA compliant email.
3 – Electronically sign the Microsoft 365 HIPAA Business Associate Agreement (BAA). This is the last step in ensuring that all the emails set up for your organization under the Business Premium email subscription plan are automatically HIPAA compliant.
Microsoft has added safeguards that are required by HIPAA for various Microsoft 365 services. These safeguards are in place for services including Office Online, Exchange Online, in addition to SharePoint Online and OneDrive for Business. View more on Microsoft and HIPAA and the HITECH Act.
When using Microsoft 365 Business Premium, an optional privacy and security contractual supplement called a HIPAA business associate agreement (or BAA) is also offered in effort to assist Microsoft 365 customers meet requirements for HIPAA compliant email.
Okay, so now that we have that covered, let’s review how to actually make your email HIPAA compliant.
Note: These steps assume you have already signed up for a Microsoft 365 Business Premium email subscription plan. If you have not already done so, you may sign up for a subscription here.
How do I make my email HIPAA compliant?
Time needed: 5 minutes.
How to make your email HIPAA compliant
- Sign into your Microsoft 365 email account.
Using your Microsoft 365 email address and password, start by signing into your account from the Office 365 sign in page.
- Select Add-Ins.
Once logged into your Microsoft 365 account, you will then be able to access your Email & Office dashboard. Click on the menu icon in the top left and select Add-Ins from the drop down that displays.
- Add the HIPAA compliant email Add-In.
After selecting Add-Ins, you will be shown different Add-In options to choose from. You’re looking for the HIPAA compliant email Add-In option. Next to HIPAA compliant email, choose Get started.
- Agree to the Microsoft 365 HIPAA Business Associate Agreement.
After selecting Get Started, you will then be presented with a checkbox that states, I agree to the Microsoft 365 HIPAA Business Associate Agreement. Go ahead and select the checkbox to agree to the BAA.
- Enter your contact details.
After agreeing to the Business Associate Agreement (BAA), you will then be asked to enter your contact details. Go ahead and add in your contact details as Microsoft will require these so that they can contact all customers in the highly unlikely instance of a data breach.
- Accept & Send.
After adding in contact details, the last step is to go ahead and choose to Accept & Send. And that’s it. After completing this step, the email accounts you create under the current email plan will now automatically be HIPAA compliant.
If you followed these steps, you’re all set. Congratulations!
However, if you got stuck anywhere along the way or have additional questions, not to worry. We want to answer your questions and are here to help you get set up correctly.
So, take a moment to review the following FAQ’s and feel free to get in touch if you need to.
Additional questions about HIPAA email compliance?
To get started with HIPAA compliant email, the first step is to sign up for a Microsoft 365 Business Premium plan. After you sign up for an email account with Business Premium, you can then purchase HIPAA compliant email as an add-on. Any other email accounts that are on the same plan do not need to have their own Business Premium account in order to be in compliance.
After you’ve purchased and set up your Microsoft 365 email, you may then complete the activation of your HIPAA compliant email.
No, there is no noticeable difference after activating your HIPAA compliant email. Everything about your email will still function and work the same as before. The only difference now is that the necessary security features are at work behind the scenes.
No problem. In fact, this is quite often the case. Your healthcare organization only needs one Business Premium email subscription to make all other email address accounts compliant. The account holder of the Business Premium subscription will usually belong to an administrator.
There is no need to buy a Business Premium subscription for every person who needs an email address. As long as every email that needs to be compliant is added under the Business Premium subscription, all email address accounts will be HIPAA compliant.
The short answer is, no, not automatically. With a business associate agreement, or BAA, this helps your organization become one step closer to becoming compliant. Having HIPAA compliant email is only one requirement to being HIPAA compliant, but there are several other requirements that organizations must adhere to in order to be in complete compliance.
Regulations and requirements can often change in a very short amount of time. For this reason, it is recommended to use Microsoft Compliance Manager in order to stay up to date on the status of your organization’s email compliance.
With Microsoft 365 Business Premium, users have access to Microsoft Compliance Manager from the Email & Office dashboard. Compliance Manager is a useful tool that shows your organization’s current compliance score, as well as help you identify what needs attention. Compliance Manager will even guide you on key actions that may help improve your score.
See how Compliance Manager can help simplify the way your organization manages compliance in this short video.
Our support guides are ready to help. If you have any questions or even want us to help you with the setup of your email, expert guides can be reached by calling (480) 624-2500 to offer the assistance you need 24/7.
You can also visit our Microsoft 365 from GoDaddy Help Center for additional articles and instruction related to Office 365 email.