Is Microsoft Teams HIPAA Compliant?
Microsoft Teams is HIPAA compliant and can be used to collect, store, share, or transmit electronic PHI if an organization subscribes to an appropriate Business Plan, if the platform is configured to support HIPAA compliance, and if members of the workforce are trained to use Microsoft Teams compliantly.
Microsoft Teams is a communications platform that includes secure chat, videoconferencing, and file sharing capabilities. The platform is widely used in business to “bridge the gap between in-person and remote teammates” and can ensure team members stay informed, organized, and connected. Microsoft Teams can also be integrated with hundreds of apps to enhance collaboration and streamline workflows.
Because of its advanced capabilities and integrations, Microsoft Teams is one of the top ten communication platforms used in the healthcare industry. The platform can be used for corporate communications, onboarding, training, and scheduling, and for conducting wellness checks with frontline workers – an engagement activity that is practically essential in the healthcare industry at present.
When these uses do not involve the collection, storage, sharing, or transmission of electronic PHI, the question is Microsoft Team HIPAA compliant does not apply because the platform does not have to be HIPAA compliant to conduct corporate communications, etc. However, if electronic PHI is collected, stored, shared, or transmitted via the platform – or via any app integrated with the platform – it is important covered entities – and business associates where applicable – know how to make Microsoft Teams HIPAA compliant.
HIPAA Compliant
Patient Communication
Software
Keep Patients Informed,
Reduce No Shows & Increase
Staff Productivity
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
How to Make Microsoft Teams HIPAA Compliant
No software is HIPAA compliant. How software is configured and used determines compliance, so it is important covered entities and business associates understand the capabilities of the software before deployment – and also understand what features the software may be lacking. For example, many software solutions claiming to be HIPAA compliant lack automatic logoff features because the devices on which they are deployed should be configured to log users out after a period of inactivity.
With Microsoft Teams, HIPAA compliance can also be reliant on which business plan an organization subscribes to. The Teams platform is included in most business plans (i.e., not Office Home or Apps for Business), but varies in capabilities between plans. For example, two of the three “Frontline” business plans lack full identity and access management controls, and only the Microsoft 365 and Office 365 E5 business plans include the Teams Phone System by default.
While these potential shortcomings can be overcome by subscribing to add-on licenses, this means that both the platform and the add-on must be configured correctly to comply with the technical safeguards of the Security Rule. This can increase the complexity of making Microsoft Teams HIPAA compliant and increase the risk of an inadvertent HIPAA violation or data breach. The same applies to any other app integrated with the Teams Platform.
Why How the Platform is Used is Important
With most software solutions that support HIPAA compliance, once they have been configured to comply with the technical safeguards of the Security Rule, the risk of an inadvertent violation or data breach is relative to what they are used for and how they are used. What Microsoft Teams is used for, and how it is used, is particularly relevant in the context of answering the question is Microsoft Teams HIPAA compliant – especially with regards to interactions with patients.
Because of the platform’s capabilities, Microsoft Teams can be deployed to schedule, manage, and conduct virtual telehealth consultations with patients. It is even possible to connect Microsoft Teams to certain types of EHR (subject to prerequisites) so healthcare professionals can launch virtual consultations with patients from the EHR, and so patients can request virtual appointments with healthcare professionals via a covered entity’s healthcare portal.
Conducting virtual telehealth consultations can increase the risk of HIPAA violations if the identity of the patient is not verified or if the patient is in a location in which it is impossible to guarantee the confidentiality of PHI (there are many real life examples). It is important healthcare professionals using Microsoft Teams to conduct virtual telehealth consultants use good judgement to ensure disclosures of PHI are permissible under the Privacy Rule.
Other Considerations to Take into Account
Microsoft Teams has a Data Loss Prevention safeguard which prevents sensitive data being shared with individuals who attend a meeting as a guest (as most patients would be). Depending on how this safeguard is configured, it can prevent healthcare professionals permissibly disclosing PHI to patients. This may prompt healthcare professionals to use alternative, non-compliant telehealth services to communicate with patients.
It is also important to be aware that, by subscribing to a Microsoft 365 or Office 365 business plan, healthcare providers automatically accept Microsoft’s Business Associate Agreement. Microsoft will not enter into individual customers’ Business Associate Agreements; so, if a covered entity does not like the terms of Microsoft’s Business Associate Agreement, the options are to either accept them and put up with them, or look for another communications platform to use.
One further consideration is that covered entities must subscribe to a business plan in order to use Teams under a Business Associate Agreement and the business plan must include licenses for all users. This can make it very expensive to provide telehealth services via Microsoft Teams if the platform is only utilized by a few users or the plan includes multiple analytics, insight, and management capabilities the covered entity will pay for, but never use.
Is Microsoft Teams HIPAA Compliant? Conclusion
While it is possible to make Microsoft Teams HIPAA compliant by subscribing to the right plan and configuring the platform to comply with the technical safeguards of the Security Rule, there are a number of considerations to take into account before adopting Microsoft Teams as a communication channel through which electronic PHI is collected, stored, shared, or transmitted.
These include the confidentiality of PHI during virtual telehealth consultations (this could apply to any telehealth platform), the risk that a user might use a non-compliant alternative to Microsoft Teams to circumnavigate Data Loss Prevention controls, Microsoft’s Business Associate Agreement, and the cost of subscribing to a business plan which may include capabilities that will never be used.
For many organizations, there are cheaper options. However, some have known security issues, while others are alleged to have connectivity issues. Covered entities and business associates are advised to conduct thorough due diligence on any potential communications software to ensure it supports HIPAA compliance, and to ensure it is easy to configure and use in compliance with HIPAA.
Is Microsoft Teams HIPAA Compliant? FAQs
Can covered entities use Microsoft Teams if the platform is not configured to be HIPAA compliant?
Covered entities can use Microsoft Teams if the platform is not configured to be HIPAA compliant provided it is not used to collect, store, share, or transmit electronic PHI. If the platform is used to collect, store, share, or transmit PHI, it must be configured to be HIPAA compliant and users should receive training on how to use the platform compliantly.
If a Teams business plan lacks the controls required for compliance, what can covered entities do?
If a Teams business plan lacks the controls required for compliance, covered entities usually have the option of purchasing the controls as an add-on or subscribing to “Security” and/or “Compliance” plans with the controls included. Please note, if subscribing to a Security and/or Compliance plan, it will be necessary to acquire licenses for all users in the primary plan.
Which EHRs support Microsoft Teams integration?
The EHRs which support Microsoft Teams integration are Oracle Health (version November 2018 or later) and Epic (also version November 2018 or later). Please note, to integrate Microsoft teams with a compatible EHR it is necessary to have a subscription to Microsoft Cloud for Healthcare or Microsoft Teams EHR Connector. The integration process takes 8-10 days, plus you should allow several more days for testing.
Why might the Data Loss Prevention safeguard be an issue?
The Data Loss Prevention safeguard might be an issue because the purpose of the safeguard is to block sensitive information being shared with Microsoft Teams users who have guest access in teams or channels or external access to meetings and chat sessions. Most healthcare providers will likely only provide patients with guest or external access for security purposes.
While this safeguard prevents impermissible and unauthorized disclosures via the Teams platform, it also means healthcare providers will be unable to share test results, images, and other files with patients unless patients are temporarily registered as Team members. Not only might this be too much of an administrative burden, but the added complexity could result in HIPAA violations.
If a patient requests a telehealth consultation via Microsoft Teams, but their healthcare provider does not have a Microsoft business account, is it okay to use a personal Teams account to communicate with the patient?
If a patient requests a telehealth consultation via Microsoft Teams, covered health care providers “must accommodate reasonable requests” under §164.522 of the Privacy Rule. In this case, the request is not reasonable due to personal Teams play (both paid plans and free plans) lacking the security features required to comply with the technical safeguards of the Privacy Rule.
Additionally, it is necessary for a Business Associate Agreement to be in place before PHI is communicated via the platform, and Microsoft will only enter into Business Associate Agreements with subscribers to its business and enterprise plans. It is not okay for a healthcare provider to use a personal Teams account to communicate with a patient.
Why will Microsoft not sign a covered entity’s Business Associate Agreement?
Microsoft will not sign a covered entity’s Business Associate Agreement because it offers “hyperscale, multi-tenanted services that are standardized for all customers”. Due to the number of customers (covered entities) that use Microsoft services, it would be impractical for Microsoft to adopt its services to meet the requirements of each individual customer.
What might a covered entity not like the terms of Microsoft’s Business Associate Agreement?
A covered entity might not like the terms of Microsoft’s Business Associate Agreement due to ambiguous language pertaining to permitted uses and disclosures (by Microsoft), the refusal to report all security incidents to covered entities (contrary to §164.314), and the failure to respond to patient access requests (because Microsoft does not maintain PHI in designated record sets).
Is it worth upgrading from Skype for Business to Microsoft Teams?
It is worth upgrading from Skype for Business to Microsoft Teams only if your organization will benefit from Microsoft Teams’ additional capabilities and integrations. If you are only using Skype for Business for telehealth, your organization will already be subscribing to a business or enterprise plan and be covered by Microsoft’s Business Associate Agreement and it may not be worth upgrading.
