Blog Post

Healthcare and Life Sciences Blog
4 MIN READ

Virtual health with a HIPAA BAA in place automatically

evanw's avatar
evanw
Icon for Microsoft rankMicrosoft
Aug 06, 2021

 

As part of efforts to improve access to care and the quality of care, your health organization may be looking to take advantage of a cloud communication and collaboration platform for virtual visits and streamlined care team collaboration. But you need to do so in a way that helps you meet compliance requirements—such as having a Business Associate Agreement (BAA) in place with your cloud service provider as may be required by the Health Insurance Portability and Accountability Act (HIPAA) and its regulations.

 

HIPAA regulations require that covered entities and their business associates that have access to protected health information (PHI)—such as cloud service providers that process PHI on their behalf—enter into a BAA to ensure that those business associates will appropriately safeguard PHI.

 

A HIPAA BAA process so simple it’s automatic

With Microsoft Teams, your health organization can enable seamless virtual visits and collaboration experiences with a HIPAA BAA automatically in place. Our covered entity or business associate customers are able to enter into a HIPAA BAA by default for Microsoft in-scope cloud services as part of their enterprise or business licensing agreement.

 

Microsoft Teams is an in-scope cloud service for the Microsoft HIPAA BAA since it’s part of the Office 365 suite, which is also included in Microsoft 365 plans. So when your health organization purchases business or government cloud services that include Microsoft Teams, you don’t need to take any additional action to obtain or sign a HIPAA BAA. A standard BAA will be included by default in the Data Protection Addendum of Microsoft License Terms for Online Services.

 

Microsoft carefully created a standard BAA to meet the needs of all our healthcare customers in the U.S. We collaborated with leading medical schools and their privacy counsel, as well as other public- and private-sector health organizations and HIPAA-covered entities.

 

Transparency and accountability

In addition to streamlining the HIPAA BAA process, we support our healthcare customers’ compliance by being transparent and accountable. We recognize it’s important to our customers to understand our controls and processes, and to have assurances of our operational compliance.

 

In our BAA, Microsoft makes contractual assurances about data safeguarding, data access, and reporting in accordance with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

 

All Microsoft services covered under the BAA have undergone audits such as ones conducted by accredited independent auditors. For instance, our ISO/IEC 27001 audit scope includes controls that address HIPAA security practices.

 

Independent audit reports of Microsoft cloud services are available on our Service Trust Portal. There you can find multiple ISO reports for Office 365, the Office 365 HITRUST CSF Assessment Report, the Office 365 HITRUST Letter of Certification, and the Office 365 HITRUST Customer Responsibility Matrix—as just a few examples.

 

Learn how to access and use the Service Trust Portal.

 

Shared responsibility

By offering a BAA, Microsoft helps to enable and support your compliance with HIPAA requirements. However, your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Microsoft Teams and other Microsoft services aligns with applicable regulatory requirements.

 

To help you with that, we offer a wealth of data protection resources such as whitepapers, FAQs, and risk assessment tools on our Service Trust Portal.

 

For example, there you can find the “Microsoft Teams Customer Considerations and Tools for HIPAA Compliance” whitepaper that Microsoft published recently to help healthcare customers. This whitepaper provides details useful to both technical and non-technical audiences with responsibility for HIPAA compliance.

 

We also offer a HIPAA Assessment for Office 365 in Microsoft Compliance Manager, a feature of the Microsoft 365 compliance center. It’s intended to help customers understand their compliance posture and provides step-by-step guidance to assist with implementation and maintenance of data protection controls that support HIPAA compliance. Learn more about the Microsoft 365 compliance center.

 

Enhanced security protection

In addition to supporting your compliance with HIPAA and other regulations, Microsoft Teams and Microsoft 365 can help you strengthen safeguards for your patient data, which is essential in today’s rapidly evolving cybersecurity landscape. With built-in security features, you can enable proactive protection for patient information and access control, while at the same time reduce costs through streamlined data governance.

 

Microsoft is committed to helping health organizations take a holistic approach to protection, detection, and response to security threats and cybercrime—with proven built-in data governance and privacy capabilities, a wide array of certifications, threat research and monitoring through our Cyber Defense Operations Center, and the more than $1 billion we invest in security, data protection, and risk management each year.

 

Earned trust

Those are among the reasons our healthcare customers such as St. Luke’s University Health Network (SLUHN) trust Microsoft Teams to help them not only transform care but protect their patients’ data.

 

“Even as we look to secure text messaging as one of the advantages of the ubiquitous cell phone, we still have to comply with HIPAA and other privacy requirements,” says James Balshi, MD, Chief Medical Information Officer and Vascular Surgeon at SLUHN, in the Teams chapter of the multi-part series chronicling St. Luke’s digital transformation journey. “But we don’t have to worry about that with Teams. It’s equally functional on the smartphone, tablet, and desktop computer. I use the camera technology on the phone to share patient information in a more secure and HIPAA-compliant manner with colleagues during a Teams video call. I’ve also shared EMR notes and X-ray images.”

 

You can find out how SLUHN uses Microsoft 365 security and compliance solutions to simplify its compliance and improve data protection in the Security chapter and video, plus how it brought back house calls for patients in the virtual visits chapter and video.

 

Next steps

Read the “Microsoft Teams Customer Considerations and Tools for HIPAA Compliance” white paper

Learn more about Microsoft and the HIPAA and HITECH Act

Learn more about Microsoft 365 and healthcare

Learn more about Microsoft Teams and healthcare

Explore the right Teams virtual visit solution for your organization

Updated Aug 09, 2021
Version 2.0
No CommentsBe the first to comment