Microsoft Office 365 Hipaa Compliance

[Liora Putcha]

Tofight these challenges, all healthcare organizations need to implement HIPAA compliance mechanisms into their cyber defense strategy. This blog post tackles the strategies and tactics that companies using the Office 365 platform have at their disposal to comply with HIPAA regulations.

HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

A key component of HIPAA compliance is the demonstration of appropriate internal IT controls. These controls should be designed to mitigate risk and create safeguards for legally protected health information stored and transmitted in electronic form (ePHI). ePHI is defined in HIPAA regulation as any protected health information that is created, stored, transmitted, or received in any electronic format or media.

At a high level, the HIPAA Privacy Rule ensures individuals have minimum protections under the law. The HIPAA Security Rule, however, requires healthcare organizations to perform specific security actions such as:

Microsoft has largely focused on security and has the following global, regional, US, and industry certifications. That being said, Microsoft 365 and Teams can easily be configured to support HIPAA security and privacy requirements.

On top of that, other security mechanisms like services data loss prevention, security incident event management, data classification, and encryption for data-at-rest are centrally built-in Microsoft 365 Cloud.

Microsoft recommends companies develop policies on evaluating, adopting, and using cloud services to minimize inconsistencies and vulnerabilities that attackers can exploit. Companies should ensure that governance and security policies are updated for cloud services and implemented across the organization:

IT administrators in your company have control over the cloud services and identity management services. Therefore, your security officers and IT managers must ensure consistent access controls such as monitoring:

As an organization, you own your data and control how it should be used, shared, updated, and published. As a part of your governance processes, you should classify your sensitive data and ensure it is protected and monitored with the appropriate access controls wherever it is stored and in transit.

By leveraging the Microsoft 365 E5 business subscription, organizations can access a host of tools, such as the before mentioned Azure Information Protection (AIP) tools. Azure Information Protection controls Exchange and SharePoint files, messages, calls, and meetings.

For example, with AIP, you could easily choose which internal and external users can edit, print, copy, and send documents. Your administration team can apply these choices automatically through SharePoint, or the user can do it in SharePoint and Outlook.

It also allows you to revoke access to a document after granting permission. You can do it either manually or schedule it for a fixed date. For instance, you may wish to only allow an external user access to a document during the lifetime of a project or a sales proposal.

See who has access to which document, site, or team. Use built-in filtering to understand the security for any file within your Office 365 environment. Find users who have access to a specific file or folder (where the sensitive data is usually stored) and check who they are and how they obtained their access. Add or remove a user from multiple sites, teams, and groups at once.

Monitor activities of external and guest users, see how they interact with your Office 365 content, and track their permission changes. Remove external users in bulk directly from the report.

Review all sharing settings on a tenant level and check where the external sharing is enabled. See which type of sharing is enabled (anonymous or authenticated), and which content is potentially vulnerable to security breaches. Revoke sharing directly from the report.

Check which content has unique permissions due to uncontrolled sharing. Decide which unique permissions can remain and which need to be managed. If necessary, restore permissions inheritance right from the report.

Find if files were shared with anonymous users and guest users from different departments or outside the company. See when the sharing links were created, when they expire, and what type of rights they give. Remove them with just one click to maximize the security of your environment.

Automate access evaluations by asking sites, Microsoft Teams, and Microsoft 365 Groups owners to review the access to their services. Ensure they verify access of their users regularly and ensure there are no permissions breaches or non-authorized activity on sensitive files.

See who are the privileged users in your tenant. Check where administrators, full-access roles, resource owners, and other powerful user roles have access. Make an informed decision whether they should keep their existing access, or if you wish to reduce it. If you wish to try Syskit Point before committing to it, check it out with a free trial!

For example. One of the requirements that is spelled out in the Health Insurance Portability and Accountability Act is that a covered entity must file incident reports whenever Protected Health Information (PHI) is shared inappropriately (either by accident or because of a breach).

Now, this gets a bit complicated, because some sharing of PHI is often necessary between providers, etc. and that is okay so long as they are protected with a Business Associate Agreement (BAA) and the other entity is following their own proper procedures. So that would be considered appropriate. But it would be inappropriate to accidentally forward documents containing personally identifiable information or PHI to the wrong individual, for example, whether internal or external.

Now according to HIPAA every breach minor or major needs to be recorded and kept on file. In the event of major breaches, the covered entity is required to report the details of the breach within a certain time frame of discovery. Minor breaches can often be handled internally, without a requirement to notify the feds.*

Well that could mean all kinds of things, and imply both physical and digital controls. So we started with a physical walk-through of the premises and I could not find any areas where I would have been concerned that someone would have gained unauthorized access to a physical port. Those areas that would have benefited were entirely within their business office and not connected to the clinic in any way. The switches themselves were completely locked up in a room that only two people in the organization have access to with an electronic key card. And the business office itself was not a place for the general public.

So instead, we focused on improving wifi security since the clinic is primarily dependent on wifi access. See what we did there? What is the control asking you to do, and how might you close the gaps that actually present risks in your unique business environment?

By upgrading everyone into M365 Business you will have access to a lot more security & compliance goodies than what you have with Business premium, or what you can get in E3. For example, Microsoft 365 Business just announced today that Conditional access is now included, which is huge. -365-Business-Blog/Conditional-Access-is-now-part-of-Microsoft-365-Business/ba-p/684063

Another great article Alex. How can a screen lockout be configured in an Office 365 cloud only environment? I know Group Policy can be used in an on-premise Windows server but is there a way to set it up in Office 365? I see so often users leave their PCs powered on or not log off or use the lock option by pressing Ctrl-Alt-Del.

airSlate SignNow provides an abundance of out-of-the-box integrations to automate business-critical processes that involve documents. By utilizing microsoft office 365 or other available solutions into your daily workflows, you and your colleagues will have more time to concentrate on your key competencies, deliver exceptional platform to your customers, and drive more leads, by implementing microsoft office 365 or other available options into your daily workflows.

Take advantage of the integration options airSlate SignNow provides and incorporate them into your daily processes without the need of writing a single line of code. Grow your operations, attract more qualifying leads, and take the guesswork out of document-based operations. Try airSlate SignNow now!

Our team of healthcare privacy professionals and HIPAA consultants have worked with privacy, security, and compliance officers across different types of healthcare organizations and are therefore well-equipped to help ensure that your organization remains HIPAA-compliant.

Hear From Our

Happy ClientsRead Our Reviews

Were you aware that there are 29 policies that need to be in place to meet the minimum compliance standards set out by HIPAA? Our HIPAA, IT compliance experts, will help you meet these standards by implementing the following IT security and support services within your practice:

HIPAA compliance presents a complex and ever-evolving landscape for healthcare providers. Navigating the intricate regulations and ensuring ongoing adherence can be daunting, especially for smaller practices with limited resources. Key challenges include:

The penalties for violating HIPAA regulations can be severe. In case of a willful violation of HIPAA rules, the minimum fine is $50,000. On the other hand, the maximum criminal penalty for violating HIPAA regulations by an individual is $285,000. You may also be required to pay restitution to the affected party. In addition to the financial penalty, you may have to undergo a jail term for criminal violation of HIPAA regulations.

3a8082e126