To make Microsoft Teams HIPAA compliant, it is necessary to select a plan with the capabilities to support compliance, configure the platform to meet the requirements of the Security Rule, and train members of the workforce how to use Microsoft Teams in compliance with HIPAA. It is also necessary to accept the terms of Microsoft’s Business Associate Agreement.
Many businesses in the healthcare industry take advantage of Microsoft Team’s capabilities and integrations to improve internal communications, enhance collaboration, and streamline workflows. However, when the platform is used to collect, store, share, or transmit Protected Health Information (PHI), it is necessary for the platform to be used in compliance with HIPAA.
Making Microsoft Teams HIPAA compliant is not as simple as adjusting a few access controls or entering into a Business Associate Agreement (BAA) with Microsoft. Some Microsoft plans do not include the capabilities to support HIPAA compliance, while the terms of the BAA will not be acceptable to every organization. Plus, for some organizations, these issues are just the beginning.
The Complexity of Microsoft Plans
The complexity of Microsoft plans is the first obstacle Covered Entities and Business Associates have to overcome when making Microsoft Teams HIPAA compliant. There are four standalone subscription options for Microsoft Teams (excluding personal, family, and home office plans), plus the platform is included in eight business plan bundles and the Microsoft Cloud for Healthcare service.
Not all of these options support HIPAA compliance due to a lack of security measures. Some business plans allow organizations to purchase add-ons or subscribe to “security plans” in order to bring the plans up to the required standard. Alternatively, Covered Entities and Business Associates may be able to integrate the necessary security measures from other compatible security solutions.
Configuring the Platform to be HIPAA Compliant
The complexity of configuring Microsoft Teams to be HIPAA compliant can create problems for system administrators unfamiliar with the platform due to the number of capabilities and integrations an organization may want to use. Security has to take precedence over usability – especially if the platform is going to be connected to an EHR or healthcare portal.
Connecting Microsoft Teams with EHRs has been an option since Microsoft launched the EHR Connector in 2021. Not only does this capability allow healthcare professionals to schedule Teams telehealth consultations via the platform, but it also allows patients to request telehealth appointments via a healthcare portal – potentially resulting in increased verification challenges.
Using Microsoft Teams in Compliance with HIPAA
Verification is just one of the challenges of using Microsoft Teams in compliance with HIPAA. Some configurations of Microsoft Teams can also create challenges – such as the Data Loss Protection feature that can prevent healthcare providers sharing sensitive information with patients and may prompt the use of unsecure communication channels to share test results, images, etc.
Additionally, when communicating via the platform, it can also be difficult to ensure conversations remain confidential. There are numerous threads on the Internet where healthcare professionals have shared their experiences of trying to conduct telehealth consultations in difficult circumstances; and, although this challenge is not unique to Microsoft Teams, it is an important consideration for healthcare providers before adopting any communications platform for telehealth purposes.
The Terms of Microsoft’s Business Associate Agreement
Microsoft refuses to sign customers’ Business Associate Agreements because it offers “hyperscale, multi-tenanted services that are standardized for all customers”. Due to the number of healthcare organizations that use Microsoft’s services, it would be impossible for Microsoft to tailor its services to meet the requirements of each individual healthcare organization or Business Associate.
However, the terms of the BAA may be contentious for some Covered Entities. For example, Microsoft refuses to respond to patients’ access requests or report unsuccessful security incidents to Covered Entities, and does not permit Covered Entities to store PHI in cloud directories. As the BAA is entered into automatically when a healthcare organization subscribes to a Microsoft business plan, Covered Entities only have two options – accept the terms of the BAA or cancel the subscription.
Is It Worth Making Microsoft Teams HIPAA Compliant?
For many Covered Entities and Business Associates, making Microsoft Teams HIPAA compliant is worth the effort if the organization is already invested in other Microsoft tools and services. However, for organizations using communication and collaboration tools from other providers, what it takes to make Microsoft Teams HIPAA compliant may be more effort than it is worth.