Organizations that handle healthcare data, whether they are covered entities (healthcare providers, plans, or data clearinghouses) or their business associates, must meet the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA and HITECH (the Health Information for Economic and Clinical Health Act of 2009) are US federal laws that created regulations related to how sensitive personal health data is used and disclosed (essentially in an effort to protect it and make it accessible to patients). It is necessary for doctors, hospitals, health insurers, and other healthcare organizations to meet the stipulations within these laws and to have the responsibilities within the relationship defined by a business associate agreement (BAA). The BAA contract is important because it clarifies all aspects of data creation, storage, receipt, and transmission so that accountability is possible for all privacy and security concerns.
But within these requirements, covered entities will likely be using some sort of word processing or document creation software suite, such as Office 365 or G Suite. Which one is better suited to maintaining HIPAA compliance according to the standards above?
This article looks at two perspectives, one advocating each of the two systems, before going through the specifics and process for implementation of each environment.
Office 365 more directly geared toward compliance (CloudSecureTech)
CloudSecureTech gives pros and cons of both of these environments. The take from that publication is that Office 365 is better suited for compliance. Their evidence is that Microsoft has a pledged commitment in place to protect student anonymity – meaning that they are dedicated to academic compliance.
Additionally, Microsoft meets the needs of law enforcement to background check all of their personnel who are able to see user content within Skype for Business Online, Exchange Online, SharePoint Online, and other areas. There is no such pledge by Google, per CloudSecureTech.
G Suite preferable for healthcare data (DuoCircle)
While CloudSecureTech clearly sees a greater security and compliance stance from Microsoft than Google with these suite products, email protection service DuoCircle thinks Google has a stronger approach.
DuoCircle took issue with the language that Microsoft uses in its user agreements which states that it is not responsible for any issues with compliance through Office 365 or anywhere else in its ecosystem.
“In terms of regulatory compliance,” states DuoCircle, “it appears that Google is a clear winner for its proactive approach, its robust regulatory compliance efforts, and not declaring it cannot be held responsible for gaps in regulatory compliance.
HIPAA-compliant setup within Office 365
Important note: You will see sometimes a statement that a given technology or environment is HIPAA compliant; in that sense, CloudSecureTech says that “[w]hile Office 365 meets HIPAA compliance, Google Apps users have to deactivate Additional Services to be HIPAA compliant.” While a technology can be designed for compliance, it is ultimately a provider that either is or is not compliant – and that applies to your organization’s use of the service. Microsoft itself notes that while Office 365 and CRM Online can both be used in compliance with HIPAA and HITECH, clients of the tools must take steps in order to achieve compliance with the laws, part of which is using the systems appropriately, with training so that all staff members do so consistently.
In order to set up additional settings and rules that will allow you to maintain HIPAA compliance, you can use Exchange Online Protection (EOP), as is performed through data loss prevention (DLP) policies. Focusing on the EOP, it is a cloud-hosted service that safeguards your company by filtering email so that malware and spam do not get through. EOP also has the capability to protect a firm against any steps that would go against the organization’s messaging policy. According to Microsoft, this function makes it simpler to keep up with you internal software and hardware maintenance, and it also streamlines your messaging ecosystem management.
DLP policies are packages that contain transport rules, exceptions, and actions (various conditions) that filter your email messages, as designed when generated within the Exchange Administration Center (EAC). It is possible to have a DLP policy that you created but are waiting to implement. By pausing primary to implementation, you can test, keeping the mail flowing through as usual until you make any necessary tweaks.
Within Office 365, if you want to set up a DLP policy, you can go into the Exchange Admin Center > Compliance Management > Data Loss Prevention > “+” > “New DLP policy from template.” Once you have navigated to that screen, within the “Choose a template” pane, scroll and select “US Health Insurance Act (HIPAA).” The reference article “Create DLP Policy From a Template” can assist you.
The rules that are set up for HIPAA by default will use “Drug Enforcement Agency (DEA) Number” and “US Social Security Number (SSN)” as the keywords to trigger a flag while scanning your email. If you want to go beyond those two, you can add US Individual Taxpayer Identification Number (ITIN), US Driver License Number, US Bank Account Number, or US Passport Number. Beyond those elements, you could also create customized rules so that you could scan for Date of Birth or another factor. These rules could use text patterns of keywords to filter and meet compliance.
Microsoft notes that a business associate agreement is often necessary in order to meet with compliance for HIPAA and HITECH. That statement is in line with the rules from the HHS itself on relationships with cloud service providers; the HHS’s rules make it clear that you can set up a relationship with any cloud provider as long as you have a BAA to delineate responsibilities for the critical data at all points.
The steps of signing up for HIPAA compliant service on Office 365 is to first sign up for the service (at which point you sign a standard user agreement), sign a business associate agreement, and then move to migrate any ePHI.
If you want to use Office 365, below are important documents for your reference:
Note: It will be necessary for you to have administrative privileges within the account in order to access and sign the BAA.
When you go in to sign the Microsoft BAA, look it over by clicking on “Office 365 and CRM Online HIPAA/HITECH Business Associate Agreement [English].” Be certain that everything in the BAA looks right since you are ultimately responsible for your compliance. Click the checkbox beside the agreement. Now enter your full name and check the “Accept” box.
HIPAA compliance with G Suite & Cloud Identity
Like some of the strongest HIPAA compliant hosting services, Google has been certified and audited to meet various security standards (such as those from the International Organization for Standardization, or ISO, and American Institute of CPAs, or AICPA). The tech giant has clarified that its ecosystem can also be used to achieve HIPAA compliance.
As with Microsoft, Google notes the need for a BAA in order to keep any ePHI protected and to meet the regulations.
As is also made clear by Microsoft, Google does not want anyone using its system for any handling of ePHI that is in the absence of a signed BAA. The standard BAA that Google has available covers Google Drive, Gmail, Google Calendar, Google Cloud Identity Management, Google Vault, Google Sites, Google Cloud Search, Google Hangouts, Hangouts Meet, Hangouts Chat, and Jamboard – so it is very broad.
If you want to use G Suite with healthcare records, the below resources will be helpful. Google notes specifically that the documentation will aid organizations when they want to handle ePHI within the Google ecosystem, adding that the manual “is intended for employees in organizations who are responsible for HIPAA implementation and compliance.”
HIPAA compliant hosting for Office 365 or G Suite
Are you in search of a HIPAA-compliant environment for either Office 365 or G Suite? Whichever platform you choose, it will need to be backed by infrastructure that is also engineered to maintain the confidentiality of ePHI. HIPAA Compliant Hosting by Atlantic.Net is SOC 1 & SOC 2 certified and HIPAA & HITECH audited, designed to secure critical data and records. See our HIPAA compliant hosting solutions.