A question OneNeck customers dealing with electronic private healthcare information (ePHI) often ask is whether Microsoft Teams is HIPAA compliant. These customers utilize M365 and Teams within their organizations and value the easy and effective collaboration it brings. Still, they are concerned about the implications of using these services when PHI is so critical to their business. So, is Teams compliant? Absolutely. However, there are steps that every organization must take to establish and maintain this compliance.
The safeguards of the HIPAA Security Rule for compliance are broken down into three main sections: technical, physical and administrative safeguards. For our purposes, we’ll primarily focus here on the necessary technical safeguards.
One of the most important technology-related security HIPAA requirements is that all ePHI must be encrypted, so only authorized users can access the data or, in the event of a breach, compromised data will be indecipherable. Another crucial security requirement is that every authorized user with access to ePHI must have a unique user identification to monitor their use. As for physical devices, technology with HIPAA compliance must have an automatic log-off feature to prevent unauthorized access if said device is left unattended.
Microsoft Teams is developed with security at the forefront of its design and is well suited to meet HIPAA security requirements. Microsoft Teams has the following safeguards in place that assist in the securing of ePHI:
- Access Controls provide users with login credentials that are unique to them, ensuring that PHI is only accessible to authorized users.
- Single sign-on (SSO) enables users to secure access to related systems with one login credential (Microsoft Teams, M365, etc.).
- Multi-Factor Authentication (MFA) requires users to submit multiple credentials to access data (username and password, biometrics, security questions, etc.), thus certifying legitimacy.
- Audit Logs track access to ePHI to ensure observance of all the necessary standards.
- Encryption transforms ePHI into a format only accessible via a decryption key, preventing unauthorized access to data at rest and in transit.
It is essential to note that while Microsoft Teams does include the necessary security features for HIPAA compliance, in many cases, the organization and its users must properly configure specific settings along with the implementation of companywide policies ensuring the safeguards above are followed. Ultimately, your organization’s policies, IT department and users must actively work together to ensure compliance is not only initially attained but constantly maintained.
BAA (Business Associate Agreement)
Per HIPAA 45 CFR 164.504(e), a business associate agreement (BAA) is required for any organization that will process PHI on another company’s behalf. This agreement provides the required security controls, the responsibilities of the parties involved and how PHI can be used. Even with all necessary security policies and controls enabled in Microsoft Teams, it would not qualify for HIPAA compliance until a signed BAA is in place.
Fundamental aspects of a HIPAA BAA include:
- A description of how business associates are permitted and required to use PHI.
- A requirement that PHI only is used or disclosed as contracted or required by law.
- Business associates must utilize applicable security measures to ensure PHI is used in agreement with all contract terms.
- Requires reasonable steps be taken to resolve any breach as soon as one is detected.
Fortunately, Microsoft states on its website that it is willing to sign a BAA with organizations utilizing Microsoft Teams for PHI. It is important to note they also provide a disclaimer that the end user assumes the responsibility of ensuring that Microsoft Teams is configured for HIPAA compliance. Once this BAA is signed, an organization can process and store ePHI with Microsoft Teams. One additional important aspect of which to take note, is that even if an organization already has a signed BAA with Microsoft for M365 or other services, they must confirm that Microsoft Teams is specified; if not, an additional Microsoft Teams BAA is required.
Organizational Responsibility for Maintaining Teams Compliance
Even with Microsoft Teams’ built-in security controls and a signed BAA, every organization must understand that they ultimately bear the responsibility of ensuring their use of Microsoft Teams is HIPAA compliant. Organizations must place a priority on practicing the appropriate security hygiene necessary to minimize security risks.
To remain HIPAA compliant, your organization must make the security and safety of PHI paramount. This requires top-down buy-in from the entire organization. Not only must HIPAA policies and procedures be established, but appropriate security awareness training must be routinely conducted, so everyone involved understands these best practices.
Ultimately, Microsoft Teams is capable of meeting all security features and legal agreements of HIPPA compliance. Nonetheless, whatever tools are used, maintaining compliance relies on your organization and its ability to establish and enforce HIPPA policies and procedures.