How to maintain HIPAA compliance with Microsoft 365 email

Products mentioned
Getting personal

Many healthcare providers are finding new ways to keep protected health information (PHI) guarded with email systems and other cloud services that support HIPAA compliance. Suites like Microsoft Office 365 and others can help healthcare providers stay compliant with HIPAA. Still, just having email or cloud service does not on its own achieve HIPAA compliance or full protection.

Before we dive into the technology, let’s look at the sensitivity of healthcare data, how the healthcare industry is evolving as a result, and what ways protected health information is a liability if not handled properly.

An industry on the cusp of digital innovation

At the core of our rapid-fire online age are health insurance and healthcare systems — sectors that have been some of the slowest to evolve. Similar to the financial services industry, a consumer’s experience in a healthcare setting today runs nearly parallel to what it was 10 years ago. Paper trails and file folders are still common in many practices instead of digital records. Some insurance companies still mail neatly printed ID cards to their policyholders each year instead of emailing a file for download. But the healthcare industry is on the cusp of an innovation that will revolutionize healthcare in the 21st century.

In the next five years, apps, cloud technology and software systems could effectively begin to manage patient data on a massive scale.


As a general rule, email is not secure, instant messaging is unstable, and websites using HTTP (as opposed to HTTPS) are far from guarded. So how will personal health data be protected in an era of website hacks and email leaks?

What is PHI?

Protected health information is demographic details that can identify an individual.


It includes name, birthdate, Social Security number and even credit card information. Many times PHI can lurk in simple emails like appointment requests or transfer-of-record requests. Maintaining HIPAA-compliant email and CRMs requires encryption and secure software systems that meet the standards set by federal regulation.

Tip: Healthcare entrepreneurs and startups need to think about PHI before signing up for free or low-cost solutions that help their bottom line.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses concerns over the potential abuse of the privacy of health information. HIPAA is a federal regulation that was developed to protect the privacy of a consumer’s personal health details. There are specific rules about when, how and what kind of information can be shared between different entities.

Avoiding HIPAA violations is extremely important.


The Department of Health and Human Services (HHS) has stated that they will increase audits in the upcoming months and years. Violators can face fines of hundreds of thousands to millions of dollars, and the federal government has sent several convicted violators to jail. HHS has a willingness to pursue violators, from large corporations to small nonprofits, and continues to emphasize the need for healthcare entities to perform accurate and thorough security risk assessments.

Read a summary of HIPAA security rule.

The role of Microsoft 365

Microsoft Office 365 from GoDaddy Supports HIPAA ComplianceMicrosoft 365 meets many of the compliance regulation requirements for healthcare organizations around the globe. It complies with the HIPAA Business Associate Agreement, and meets the breach notification requirements of ARRA/HITECH, the International Organization for Standardization 27001, Federal Information Security Management Act, EU Safe Harbor, EU Model Clauses and the Data Processing Agreement.

Email regulations for HIPAA compliance

When considering a software solution like Microsoft 365 that supports HIPAA compliance, it’s important to remember HIPAA requires that three specific areas are addressed when it comes to email, one of the biggest compliance violators:


It is the healthcare provider’s responsibility to ensure anyone handling PHI is properly trained and understands how to handle confidential data. Extra email security and scanning emails for sensitive data before they are sent help healthcare organizations keep a handle on how emails are distributed and what is being sent.


Patients must be notified of the risk of communicating with their provider by emails, and consent should be obtained from patients before emails are ever exchanged.

Business Associate Agreement

Companies like Microsoft offer third-party solutions to healthcare organizations to stay HIPAA compliant. HIPAA refers to these companies as business associates. Business associates are required to sign an agreement that states they will protect patient information with the same standards as the healthcare provider.

5 steps to achieving HIPAA-compliant email

If you are ready to ensure your email system complies with HIPAA, here’s how to get started.

  1. Risk assessment. Analyze vulnerabilities and potential risk within the organization.
  2. Determine a third-party compliance solution. This might be Microsoft 365 or another suite.
  3. Communicate with IT. Ensure your technology team is aware of the new software to secure processes for not only email but a website and an instant chat.
  4. Train users. It is an organization’s responsibility to set up Microsoft 365 properly and train its staff to use PHI in a way that does not violate HIPAA. Make sure team training is documented and thorough. And save documentation for reference and for training future staff members.
  5. Document ongoing risk. Log potential security incidents and communicate with technology and marketing/public relations staff if a security issue arises.

The above content should not be construed as legal advice. Always consult an attorney regarding your specific legal situation.

See how GoDaddy can help provide your business with HIPAA compliant email solutions.

Image by: fukapon Flickr via Compfight cc