Microsoft 365 compliance

Microsoft Teams and Office 365 HIPAA compliance

Learn how Office 365 is designed to comply with HIPAA & how Syskit Point can help you implement security protocols to your environment.

A 2018 annual survey from A.T. Kearney revealed that more than 85% C-level executives from around the world reported experiencing a breach in the past three years. Due to health information’s sensitive nature, healthcare providers have increasingly complex fraud challenges and cybersecurity workforce issues.

To fight these challenges, all healthcare organizations need to implement HIPAA compliance mechanisms into their cyber defense strategy. This blog post tackles the strategies and tactics that companies using the Office 365 platform have at their disposal to comply with HIPAA regulations.

What HIPAA is and whom it concerns

HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

A key component of HIPAA compliance is the demonstration of appropriate internal IT controls. These controls should be designed to mitigate risk and create safeguards for legally protected health information stored and transmitted in electronic form (ePHI). ePHI is defined in HIPAA regulation as any protected health information that is created, stored, transmitted, or received in any electronic format or media.

Office 365 Governance and Protection

The HIPAA Privacy rule and Security rule

The HIPAA regulation consists of two rules – the Privacy Rule and the Security Rule. While the Privacy Rule sets the standards for, among other things, who may have access to PHI, the Security Rule sets the mechanisms to ensure that only people who should have access to ePHI will indeed have access.

It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes ePHI that is created, received, maintained, or transmitted. For example, ePHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means.

Challenges facing health organizations regarding HIPAA compliance

The challenges that health organizations face in the era of cloud technologies and enhanced data accessibility are getting bigger each day. Some of the most apparent hassles are:

  • Improved mobility and collaboration that increases threat exposure.
  • Data leaks and targeted attacks that increase recovery costs and erodes patient trust.
  • Complex compliance regulations that increase scrutiny and the need for data transparency.

At a high level, the HIPAA Privacy Rule ensures individuals have minimum protections under the law. The HIPAA Security Rule, however, requires healthcare organizations to perform specific security actions such as:

  • Ensure the confidentiality and availability of all ePHI created, maintained, received, or transmitted.
  • Regularly review system activity records, such as access reports, audit logs, and security incident tracking reports.
  • Establish, review, document, and modify a user’s right to access a workstation, transaction, program, or process containing ePHI.
  • Track login attempts and report discrepancies.
  • Identify, respond to, and document security incidents.
  • Acquire satisfactory assurances from their vendors before exchanging ePHI (i.e., Business Associates).

Updates to Office 365 HIPAA and GDPR regulations

Organizations in every industry, including many US government agencies, are upgrading to Microsoft 365 to improve their security posture. Microsoft 365 and Microsoft Teams have been designed to meet security standards with architectural advancements built into every cloud’s stack layer.

However, functionality, security, and privacy implications must be understood and addressed before sending data to the cloud. It requires HIPAA Security Officers to ask the critical question: “How does using Office 365 and Teams enable me to meet the HIPAA Security and Privacy requirements in my environment?”

Microsoft has largely focused on security and has the following global, regional, US, and industry certifications. That being said, Microsoft 365 and Teams can easily be configured to support HIPAA security and privacy requirements.

Data security and HIPAA compliance in Office 365 and Microsoft Teams

Following Microsoft’s recent compliance with the HIPAA Security Rule and HITRUST Certification in Azure and Office 365, Azure Information Protection (AIP) Suite now provides organizations integrated, turn-key security controls. AIP is a cloud-based solution that enables organizations to classify and protect documents and emails by applying labels. Labeling helps company administrators to detect sensitive data, such as ePHI.

On top of that, other security mechanisms like services data loss prevention, security incident event management, data classification, and encryption for data-at-rest are centrally built-in Microsoft 365 Cloud.

Microsoft Teams is a unified communications hub that combines workplace chat, video meetings, file storage, and application integration. The service integrates with the company’s Security and Compliance Office 365 subscription, office productivity suite, and features extensions that can integrate with non-Microsoft products.

Who has responsibility for data safety in the cloud

The source:

Microsoft recommendations for healthcare providers

Microsoft recommends companies develop policies on evaluating, adopting, and using cloud services to minimize inconsistencies and vulnerabilities that attackers can exploit. Companies should ensure that governance and security policies are updated for cloud services and implemented across the organization:

  • Identity policies
  • Data policies
  • Compliance policies and documentation

IT administrators in your company have control over the cloud services and identity management services. Therefore, your security officers and IT managers must ensure consistent access controls such as monitoring:

  • Privileged accounts,
  • credentials, and
  • workstations where the accounts are used

As an organization, you own your data and control how it should be used, shared, updated, and published. As a part of your governance processes, you should classify your sensitive data and ensure it is protected and monitored with the appropriate access controls wherever it is stored and in transit.

Security features inside Microsoft 365 and Teams

The source:

Flow of information in Microsoft 365 and Azure Information Protection

By leveraging the Microsoft 365 E5 business subscription, organizations can access a host of tools, such as the before mentioned Azure Information Protection (AIP) tools. Azure Information Protection controls Exchange and SharePoint files, messages, calls, and meetings.

For example, with AIP, you could easily choose which internal and external users can edit, print, copy, and send documents. Your administration team can apply these choices automatically through SharePoint, or the user can do it in SharePoint and Outlook.

It also allows you to revoke access to a document after granting permission. You can do it either manually or schedule it for a fixed date. For instance, you may wish to only allow an external user access to a document during the lifetime of a project or a sales proposal.

AIP also provides Office 365 Message Encryption (OME) as an extra layer of security. This provides your users with the ability to encrypt emails when sent via Outlook email.

AIP tools are integrated into Microsoft’s cloud stack architecture, so Security and Compliance personnel can centrally manage it in Microsoft 365. All application data flows through Microsoft 365, as illustrated below:

flow of information in the Microsoft 365

The source:

Microsoft Teams and Office 365 HIPAA procedures

The compliance table below shows some of the instances in which Microsoft 365 and/or Microsoft Teams can be configured to enforce controls defined by the organization’s HIPAA Security Policies and Procedures.

key activites Microsoft 365 and Teams integrate toto comply with HIPAA

Check the entire table at

How Syskit Point helps you with Office 365 HIPAA compliance

Syskit Point is an Office 365 governance and security web app that auto-discovers your Office 365 inventory, provides detailed access reports, and tracks user activity. It is a significant help to healthcare providers that store patients’ data in the Microsoft 365 cloud. Here are a couple of features that may come in handy in protecting and securing your users’ ePHI:

Audit logs

Track all users’ and admins’ activities across your Office 365 environment, including content, permission changes, and login attempts. Detect unauthorized changes, track suspicious external sharing, and avoid possible security breaches. Save and analyze audit logs for an extended period to comply with your governance policies.

O365 user activity

User Access Report

See who has access to which document, site, or team. Use built-in filtering to understand the security for any file within your Office 365 environment. Find users who have access to a specific file or folder (where the sensitive data is usually stored) and check who they are and how they obtained their access. Add or remove a user from multiple sites, teams, and groups at once.

External Users Report

Monitor activities of external and guest users, see how they interact with your Office 365 content, and track their permission changes. Remove external users in bulk directly from the report.

Detect external users and externally shared content in your environment. Generate reports on Teams, Office 365 Groups, and OneDrive external sharing.

Review all sharing settings on a tenant level and check where the external sharing is enabled. See which type of sharing is enabled (anonymous or authenticated), and which content is potentially vulnerable to security breaches. Revoke sharing directly from the report.

external user access report

Unique Permissions Report

Check which content has unique permissions due to uncontrolled sharing. Decide which unique permissions can remain and which need to be managed. If necessary, restore permissions inheritance right from the report.

Sharing Links Report

Find if files were shared with anonymous users and guest users from different departments or outside the company. See when the sharing links were created, when they expire, and what type of rights they give. Remove them with just one click to maximize the security of your environment. 

Detect if your users have been sharing content from their OneDrive with external users. Stop all file sharing when a user leaves the company or if a security breach is detected.

Check out all sharing link in Office 365 tenant

Automated Periodical Access Reviews

Automate access evaluations by asking sites, Microsoft Teams, and Microsoft 365 Groups owners to review the access to their services. Ensure they verify access of their users regularly and ensure there are no permissions breaches or non-authorized activity on sensitive files.

Perform Office 365 access review

Users with Privileged Access Report

See who are the privileged users in your tenant. Check where administrators, full-access roles, resource owners, and other powerful user roles have access. Make an informed decision whether they should keep their existing access, or if you wish to reduce it. If you wish to try Syskit Point before committing to it, check it out with a free trial!

Subscribe to our Newsletter

Related Posts