Email and Collaboration

Business Email and Collaboration

Microsoft 365: Exchange, SharePoint, Skype for Business, and more!

Microsoft Office 365 is a subscription service that combines familiar Microsoft Desktop Apps available on your own computer (Word, PowerPoint, Excel, Outlook, OneNote and Publisher) with a set of web-enabled tools (Lync web conference, Exchange email for business, and additional online storage with OneDrive). It also features Office on Demand, which streams live versions of these familiar productivity tools directly to any computer with Internet access so that you can work with all of the Microsoft Apps and tools from any location and on any device. With Office 365, you also benefit from automatic upgrades and patches, so your business is always working with the latest versions of software.

Plans and Pricing

¹ Compare all Office 365 plans here.

² Business plans require monthly commitment. All Enterprise plans require annual commitment.

³ Additional limitations are listed here.

⁴ A default quota of 100 GB is set on the archive mailbox, which will generally accommodate reasonable use, including the import of one user's historical email. In the unlikely event that a user reaches this quota, a call to support is required.

⁵ While we offer 24/7/365 immediate support for all issues, Microsoft only provides phone support for critical issues. For more details, refer to: Comparison: Tech Advantage Microsoft Hosted Products vs. Microsoft Office 365.

Office 365 - HIPAA and HITECH Compliance

What is HIPAA/HITECH?

HIPAA and the HITECH Act are U.S. federal laws that apply to healthcare companies, including most doctors’ offices, hospitals, and health insurers. They establish requirements for the use, disclosure, and safeguarding of individually identifiable health information.

Whom does HIPAA/HITECH law apply to? Who needs to be HIPAA compliant?

HIPAA and the HITECH Act apply to healthcare companies, including most doctors’ offices, hospitals, and health insurers. HIPAA and the HITECH Act also require these covered entities to sign written agreements (called business associate agreements or BAAs) with their service providers who provide certain functions using individually identifiable health information. BAAs impose privacy and security obligations on those service providers.

Is Office 365 HIPAA compliant?

Since Microsoft© has obtained the required compliance certifications, Office 365 has the ability to be HIPAA compliant, but to really take advantage of it, you need a certain level of account.

With Office 365, data is encrypted at rest and in transit for email. So as a cloud email provider, any of the Office 365 plans should be suitable to use for transmitting ePHI (electronic protected health information) within the organization. Any emails transmitted between internal accounts meet the requirements because they never leave the encrypted environment and are accessed only by authorized persons.

When sending outside of Office 365, to external recipients outside your organization, you still will require some sort of email encryption. You can add this encryption add-on feature to your Office 365 plan or if you have purchased the E3 Enterprise plan of Office 365, it's already included.

If you plan on sending ePHI internally, however, then you must also archive the messages and have a way to log and audit / search them. You can accomplish this requirement by adding on a third-party archiving service or adding on the one that Microsoft offers for Office 365 (also included with the #3 Enterprise plan).

To comply with HIPAA and the HITECH Act, a customer may need to sign a written agreement with Microsoft (called a business associate agreement or BAA) that complies with HIPAA’s and the HITECH Act’s requirements. Customers requiring a BAA should sign the BAA after the customer signs its standard agreement(s) with Microsoft for the service but before uploading or transferring health information to the service.

While customers can use Office 365 and remain compliant with HIPAA and the HITECH Act, using Office 365 does not on its own achieve HIPAA compliance. Your organization also needs to ensure it has taken appropriate steps to meet HIPAA’s and the HITECH Act's requirements, including using the Office 365 service appropriately, training your employees to do the same, and having a compliance program and proper internal processes in place. To assist customers with this task, there is a HIPAA Implementation Guidance by Microsoft. The guidance describes concrete steps your organization should take to maintain HIPAA and HITECH Act compliance while using Office 365. Additionally, for more in-depth details about Microsoft's approach to HIPAA and the HITECH Act, you may view the HIPAA white paper by Microsoft.

What does Office 365 do if there is a security incident involving a customer who has a signed HIPAA/HITECH Act BAA?

If Microsoft becomes aware of a security incident, we will both report this according to our standard notification procedures and, if the security incident involved HIPAA-protected health information, we will also report the incident to the individual administrator that the customer has identified as its HIPAA administrative contact.

Are all online and hosted email services HIPAA compliant?

Free web mail services like Gmail, Yahoo! Mail, Hotmail, and those provided by an Internet Service Provider are not secure and no electronic Protected Health Information (ePHI) should be sent through these systems, either in messages or attachments. In 2012, an Arizona medical practice paid a $100,000 penalty for sending mail from an Internet-based e-mail account. They also used a publicly-accessible online calendar for patient scheduling.

There are HIPAA compliant e-mail systems that use secure mail servers, and solutions that allow you to encrypt messages you can send to anyone. Some Cloud-based solutions are secure and the providers will sign Business Associate Agreements which makes your relationship HIPAA compliant.

If your practice is using a web mail service to send patient information, STOP NOW, because every message you send is a data breach. To get the right solution talk to a certified IT professional who understands HIPAA.

Do all emails with patient data need to be encrypted?

No. E-mail sent desk-to-desk within your organization using a secure server on a secure network does NOT have to be encrypted. E-mail going to a remote office on your wide area network should be protected by encryption used to set up the secure ‘tunnels’ through the Internet between locations. You can also use dedicated secure circuits that do not go through the Internet. Never send unencrypted e-mail containing patient information to a doctor, any member of your workforce, or a Business Associate at their personal or business address outside of your network.

Can I send a patient their medical information if they use a free web mail service?

You can, based on recent guidance from the US Department of Health & Human Services. As long as you are using a secure e-mail system on your end, the HIPAA Omnibus Rule released in January says that if a patient asks you to send them information at a Gmail, Yahoo! Mail, Hotmail (or similar) account, you should inform them that their system is not secure and ask if they still want the information sent to them. If they say yes, it is HIPAA compliant to do this. Be sure you document your conversation and their approval.

FROM THE HIPAA OMNIBUS FINAL RULE (page 5634) — We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.

Do I need to encrypt all email 'at rest' (stored on a computer)?

No. While two HIPAA sections (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)) say that data must be encrypted, this requirement is Addressable and not required.

Be warned that if you lose a device containing unencrypted ePHI, it is reportable and you can pay a hefty fine, like Massachusetts Eye & Ear Infirmary did in 2012. If a device containing ePHI is encrypted and is lost, you don’t have to report it.

Don’t think that the only computers that are stolen are laptops and portable devices. The HIPAA 'Wall of Shame' listing data breaches has a number of servers listed that were stolen from offices. If you really want to protect the data and protect your organization from fines and embarrassment, every device you own that stores patient data should be encrypted, even though it is not required.

Our company accepts no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. The information provided in this email is not intended to be construed as legal advice and should not be used as a substitute for the advice of competent counsel. Please consult your attorney if you have any questions regarding a particular legal problem or need.