Considerations on HIPAA Compliance with G Suite and Microsoft 365
Companies that need to comply with the Health Insurance Portability and Accountability Act (HIPAA) have several considerations when it comes to the software they use.
If they choose a platform that’s not HIPAA compliant, they can face fines of $100 to $50,000 per violation and issues with client trust if they have a data breach of confidential patient information.
Third-party error is one of the top 3 causes of a data breach.
If you’re using a platform that states it is HIPAA compliant, you also have to ensure you have the right settings configured to properly protect and track protected health information (PHI).
Four key areas that are regulated in HIPAA include:
- Privacy, covering patient confidentiality
- Security, covering protection of patient information, physical and digital
- Identifiers, covering the types of information that cannot be released when collected for research
- Codes that are used for transmitting data electronically in healthcare-related transactions
Two of the most popular business productivity platforms are Microsoft 365 (formerly called Office 365) and G Suite. Healthcare facilities that use either will be happy to know that they both list HIPAA under their compliance certifications.
However, simply working with a cloud tool that is HIPAA compliant is just the first step. There are several other considerations when working with either of these tools to transmit or store PHI.
Microsoft 365 & G Suite HIPAA Compliance Details
When reviewing HIPAA as it relates to Microsoft 365 and G Suite, you want to keep in mind the main digital protection requirements under the regulation. Because, while the platform itself may be compliant with HIPAA, it’s up to the company using the platform to ensure properly configured settings and best practices are used by its employees.
Some of the requirements under the HIPAA regulation for healthcare organizations include:
- Protection of PHI: Ensuring that PHI remains confidential and that electronic health information is protected when it’s created, received, stored, and transmitted.
- Review System Activities: Healthcare providers should review system activity records, like access reports, to identify any potential security incidents.
- Physical Device Access: Organizations regulated by HIPAA need to know which employees and which devices have access to PHI and regularly review their rights access.
- Monitor: Login attempts to any protected information, including employee access to platforms like Microsoft 365 and G Suite need to be monitored for any suspicious activities.
- Incident Response: Organizations need to respond to security incidents as soon as possible as well as document and report them.
- BAA: Healthcare organizations need to obtain a Business Associate Agreement (BAA) from vendors that have any access to PHI to ensure they’re also complying with HIPAA guidelines.
Let’s take a look at considerations for Microsoft 365 and G Suite for HIPAA compliance.
BAA Agreement
Microsoft cloud services, including Microsoft 365 offer a HIPAA Business Associate Agreement via the Online Services Terms by default to customers that are covered entities or business associates.
Microsoft warns that just by having the BAA for Microsoft 365 doesn’t mean you’re automatically in compliance. Each organization is responsible to ensure they have their own compliance program and internal processes in place to meet HIPAA guidelines.
G Suite offers customers a BAA through their platform as well. It has to be specifically signed by the system administrator, which is done by going to the Legal and Compliance area in the account settings and reviewing and accepting the Google Workspace/Cloud Identify HIPAA Business Associate Amendment.
There are two key areas of the Google accounts where PHI is not permitted and won’t be protected, these include:
- Google Contacts
- Google +
- YouTube
- Blogger
- Google Photos
Best Practices for HIPAA in Microsoft 365 & G Suite
Ensuring the cloud platform that you’re using is HIPAA compliant is just one part of your responsibilities under the regulation. You need to ensure you’re configuring and using the tools in Microsoft 365 or G Suite correctly and according to your responsibilities under HIPAA.
Here are some tips on best practices to implement in either platform.
Use Multi-Factor Authentication
Using multi-factor authentication can stop 99.9% of fraudulent sign-in attempts, according to Microsoft. It’s an important account safeguard to protect against weak passwords and passwords that are breached being used to gain access to your data.
Back Up Cloud Account Data
It’s important to back up all data in cloud accounts like Microsoft 365 and G Suite in a compliant backup and recovery system. Often companies think the cloud platform is the same as a backup, and it’s not.
Data in cloud services can be lost due to being overwritten, accidental or malicious deletion, ransomware, and more.
Use the Rule of Least Privilege
You reduce the risk of an insider attack by limiting which users have higher access privileges.
Only give users the lowest privilege needed to accomplish their work.
Use Security Features, Like Encryption and Audit Logs
Microsoft 365 and G Suite have message encryption capabilities, but you may need to turn them on. It’s a good idea to work with an IT professional that’s familiar with Microsoft 365 or G Suite security settings to ensure you have the best configurations for HIPAA compliance.
Get Help With HIPAA Compliance in the Cloud from C Solutions
We can help your central Florida business bridge the gap between cloud platforms and your HIPAA compliance needs by assisting with security configurations, access monitoring, and more.
Schedule a free compliance consultation today! Call 407-536-8381 or reach us online.