HIPAA Compliant Email

HIPAA, or The Health Insurance Portability and Accountability Act of 1996, is a federal U.S. healthcare law that sets the national standards and requirements needed to protect sensitive patient personal health information from being disclosed without knowledge or consent.

These requirements set the standards for the use and disclosure of sensitive patient health information. They also strictly safeguard personally identifiable information by companies within the healthcare and health insurance industries.

The HIPAA Privacy Rule and HIPAA Security Rule requires Covered Entities, such as medical practices, to obtain written assurances that their business and/or associates will safeguard electronic Protected Health Information (PHI) appropriately. If a medical practice, hospital, or other healthcare related business does not comply with the privacy rule, the result may be civil and/or criminal penalties.

Simply put, HIPAA compliant email is an email solution that adheres to The HIPAA Privacy Rule and HIPAA Security Rule requirements by using end-to-end encryption in all email communications in order to safeguard and protect personal health information (PHI) that is electronically transmitted.

Microsoft has safeguards in place that are required by HIPAA for various Microsoft 365 services. These safeguards are in place for many of their services including Office Online, Exchange Online, as well as SharePoint Online and OneDrive for Business. View more on Microsoft and HIPAA and the HITECH Act.

With Microsoft 365 Business Professional, users have access to an optional privacy and security contractual supplement called a HIPAA business associate agreement (BAA). This assists Microsoft 365 customers the meet requirements for HIPAA compliant email.

With Microsoft 365, making your email HIPAA compliant is a simple process that takes no more than several minutes.

Here’s how to do it.

1. Sign up for the Microsoft 365 Business Professional email plan. This allows for the use of HIPAA compliant email as an add-on.
2. After your email account has been activated, you will next need to set up your HIPAA compliant email.
3. Electronically sign the Microsoft 365 HIPAA Business Associate Agreement (BAA). This ensures that all the emails set up for your organization under your subscription are automatically HIPAA compliant.

Note: If you have multiple employees and staff email accounts on the same Microsoft 365 Business Professional email plan, there is no need for those email accounts to have separate Business Professional subscriptions for their email accounts to be HIPAA compliant.

For more detailed step-by-step instructions, see our article: How to make your email HIPAA compliant.

1. When logged into your Microsoft 365 account and in your Email & Office dashboard, click on the menu icon in the top left and select Add-Ins from the drop down that displays.
2. After selecting Add-Ins, you will be shown different Add-In options to choose from.
3. Locate the HIPAA compliant email Add-In option. Next to HIPAA compliant email, choose Get started.
4. After selecting Get Started, you will then be presented with a checkbox that states, I agree to the Microsoft 365 HIPAA Business Associate Agreement where you can view and read the agreement form for your account.