A HIPAA Business Associate Agreement (BAA) isn’t just a way to be extra-sure your partner is protecting your customer’s privacy or complying with HIPAA — it is the bare minimum required by law. With a few exceptions (such as your ISP), everyone who has access to your patient’s information needs to sign a BAA, including email providers like Microsoft Outlook.
Is Outlook HIPAA compliant? For most versions, no — at least not by itself. But don’t upend your whole cloud strategy yet. By adding an extra layer of client-side encryption from a secure email provider like Virtru Pro, you can make Outlook HIPAA compliant, and secure.
Is Ordinary Microsoft Outlook HIPAA Compliant?
Microsoft considers Outlook a consumer service, and does not endorse it for compliance regimes like HIPAA. There are a lot of versions of MS Outlook and none of them are HIPAA compliant on their own. The Office of Civil Rights (OCR) has been inspecting business associate relationships closely, so using an email service out of compliance poses an unnecessary risk of regulatory enforcement. Unless you can take email completely out of scope (e.g. by ensuring your workers never use email to communicate sensitive information), you need to make sure it is covered.
And even if you make a policy against sharing PHI over email, all it would take is one patient communication sent through Outlook instead of your secure portal to put you out of compliance, and put your patient’s privacy in jeopardy. It’s not worth the risk.
Is Microsoft Exchange HIPAA Compliant?
Microsoft Office 365 and its components like Microsoft Exchange Online are HIPAA compliant, and Microsoft will sign BAAs with covered entities using these products. Microsoft Exchange uses TLS — a type of point-to-point encryption commonly used in email, and other secure connections (See the “https” in the beginning of this blog’s address? That means this page is protected by TLS).
However, although Exchange Online is a HIPAA compliant email service, it isn’t safe enough by itself. TLS depends on the servers it travels through to work. If your email recipient doesn’t support TLS, or your message goes through a broken, hacked, or poorly configured server, an attacker can gain access to it, potentially breaching Protected Health Information (PHI).
Virtru makes Outlook HIPAA compliant email by providing a second layer of data-centric encryption. When you use Virtru to encrypt email in Outlook, your Virtru client encrypts messages before they are sent, and only decrypts them when your recipient opens it. This means no third party (including Microsoft or Virtru) ever has access to the content of your secure email. A Virtru BAA can protect you from a compliance perspective, allowing you to keep using Outlook. Additionally, you’ll have the benefit of stronger, client-side encryption, meaning your message can’t be intercepted and read in transit.
Virtru Pro Helps You Comply with HIPAA
Virtru Pro allows you to benefit from the convenience of Microsoft Outlook, without sacrificing security or compromising compliance. To learn more, check out our free guide to HIPAA Compliance in the Cloud.