Like many other businesses, healthcare organizations continue to search for ways to work with employees and customers through enhanced mobility and collaboration.
While working through the cloud provides greater reach and access, connecting online puts these businesses at greater risk for exposure, data leaks and targeted attacks from cyber criminals, particularly if employees are using their own personal devices. And healthcare organizations must remain HIPAA compliant throughout this sharing and collaborative process.
As a part of Microsoft 365, Teams can be used in a HIPAA-compliant manner, but it must include a range of security features to keep any electronic protected health information (PHI) secure. However, even these don’t automatically make Microsoft Teams HIPAA compliant.
It is your responsibility, as end users and as an organization, to implement and utilize those security features on an ongoing basis to ensure HIPAA compliance.
HIPAA Compliance Requirements
Under HIPAA regulations, HIPAA imposes standards in five categories:
- Admin safeguards
- Physical safeguards
- Technical safeguards
- Organizational requirements
- Documentation requirements (policies and procedures)
Using these standards, healthcare organizations are required to:
- Ensure confidentiality, integrity and availability of all PHI
- Regularly review system activity records
- Establish, document, review and modify user access
- Monitor login attempts and report any discrepancies
- Identify, respond and document security incidents
- Obtain assurances from vendors before exchanging PHI
Microsoft Features to Ensure HIPAA Compliance
Microsoft Teams’ security features do check all of the necessary boxes to ensure HIPAA compliance, provided that you configure them according to HIPAA standards.
Specific Microsoft features that should be properly configured include:
- Login controls. This includes single sign-on (SSO) and two-factor authentication settings to improve secure access to your network. It also allows you to log users out of the system when they have been inactive for a specific time period.
- Audit logs. You will receive regular alerts and reports of all auditing events as documentation for HIPAA compliance.
- Data encryption. This is not limited to data transfers between coworkers or otherwise within the network. Data at rest — information sitting in files or storage — also must be encrypted. This means the data cannot be downloaded to a flash drive or shared in public settings unless the user has permission.
- Email filtering. Using Teams’ Exchange Online Protection, all email is filtered for spam and malware. Additional settings allow you to block specific senders and push questionable messages to quarantine for your review before landing in your inbox.
- Data storage for potential legal claims. Microsoft Teams offers two settings to collect and store data that may be needed in the event of a lawsuit. With Legal Hold, Teams stores the information indefinitely so you can recall it if needed. With Litigation hold, all data — even after deletion — is stored indefinitely; access is limited to administrators.
Microsoft Teams Users Must Partner with Microsoft
While Microsoft Teams offers a number of features to help users remain HIPAA compliant, using the program alone is not enough to ensure compliance. To be fully HIPAA compliant, any organizations handling PHI must enter into a business associate agreement, or BAA, with Microsoft.
A BAA details and limits how Microsoft handles PHI, and documents both the healthcare organization’s and Microsoft’s roles in following the security and privacy provisions outlined in HIPAA and the HITECH Act (which focuses on the individual’s right to control the use of their personal information). This BAA is required for Microsoft to process and store PHI.
As long as the BAA is obtained, Teams can be regarded as HIPAA compliant, but your responsibility remains to ensure that the platform continues to be utilized in HIPAA-compliant ways.
Additional Items Needed for HIPAA Compliance
Enabling security features to operate Microsoft Teams in a HIPAA-compliant manner and having a signed, current BAA with Microsoft are good first steps to ensure HIPAA compliance for your healthcare organization. Other steps you can take include:
- Appoint a HIPAA compliance, privacy and/or security officer to direct and monitor your HIPAA compliance program.
- Know the required annual audits and assessments for your healthcare business and conduct those as required.
- Conduct and document regular HIPAA training sessions for all employees. This should include reporting procedures for breaches.
- Set up a remediation plan, and test, review and update it at least once a year.
- Review your BAA with Microsoft each year to ensure it is up to date.
HIPAA compliance remains a top priority for all healthcare organizations, and it’s essential to the security of your data and network. Working with an IT service provider like CoreTech can help you not only navigate the complexities of meeting HIPAA regulations but also implement strategies to protect your data and network. Our expert team is well versed in keeping your systems up to date so that your HIPAA compliance is never in doubt.
To find out more, contact us today to discuss your HIPAA compliance needs and see how we can help customize a solution that best serves your healthcare organization.