20 time-saving tips
Download 20 quick tips to help you spend less time on admin and more time helping your clients!

Compliance

Is Outlook HIPAA compliant?

Want to use Outlook in your practice? We’ll show you how to do it with our HIPAA-compliant Outlook guide.


Is Outlook HIPAA compliant? Yes, it can be. However, there are several different Outlooks and choosing the right option and setting it up correctly is complicated. 

Maybe you want to know about Outlook because you’re already using it. 

Or you avoid email in favor of phone and text but would love to make the shift to email if you only knew how to do it right.

Well, guess what…

Outlook can be HIPAA compliant if you set it up right. However, it might not be the best option for you so we'll give you the pros and cons.

In this article, we're going to explain how to make Outlook HIPAA compliant. Then, we'll show you another option, our healthcare-focused email service – Hushmail for Healthcare.

By the time you get to the end, you'll know if Outlook is for you. And you'll be able to confidently choose the best email service for your practice. Let's get started.

Which Outlook should you use?

The approach you take depends on how you plan on using Outlook. There are basically three different Outlooks, and they all require a different approach when it comes to HIPAA compliance.

Let’s look at the three main options. You can find different variations of each but for this article, let’s keep it simple. 

Is Outlook HIPAA compliant? Outlook.com used to be Hotmail. It’s free, but it isn’t HIPAA compliant. You can’t make it HIPAA compliant because Microsoft won’t sign a business associate agreement for your account.
Is Outlook HIPAA compliant? Outlook with a Microsoft 365 subscription can be HIPAA compliant with the right plan if you set it up correctly.
Is Outlook HIPAA compliant? The Outlook email application that comes with Office can be HIPAA compliant if you use it with a secure email service like Hushmail for Healthcare. 

 

The free Outlook.com isn’t an option because it’s not HIPAA compliant. So that leaves us with the Outlook that comes with Microsoft 365 and the Outlook application you use on your computer. 

Make Outlook HIPAA compliant - a step-by-step guide

Now that you’ve chosen the Outlook you want to use, let’s take a look at everything you need to do to make it HIPAA compliant. Get comfortable. There are a lot of steps.

How to set up Outlook (Microsoft 365) for HIPAA compliance

Microsoft 365’s HIPAA-compliant email solution can get very elaborate, and there are multiple plans to choose from. If you don’t know what you’re looking for, you might accidentally purchase the wrong one.

For example, their enterprise plans cater to large healthcare organizations with hundreds of employees. They offer a lot of complicated safeguards that are expensive and, fortunately, not necessary for small to medium-sized practices like yours. 

You have very different needs. 

These are the three most important things to look for when deciding on a HIPAA-compliant email solution: 

Is Outlook HIPAA compliant?

Encryption makes information unreadable to anyone other than the intended recipients. It’s important to consider the type of encryption an email service provides. Many services use encryption to secure email when it’s moving from the sender to the recipient. However, they don’t always protect the information once it’s in the recipient’s inbox. The best way to do this is with a private message center.

What is a private message center? 

A private message center is a secure web page where your clients can read and respond to your encrypted emails. Even if they don’t have an encrypted email service themselves.  

 

An archive helps you meet the HIPAA requirement to demonstrate that you’ve been implementing security safeguards, such as encryption, when communicating online with your clients.

And a business associate agreement (BAA) affirms that an email service accepts responsibility for the safety of your clients' information. With a BAA, you can feel confident that they’ll comply with HIPAA requirements on your behalf.

Let’s take a look at the Microsoft 365 plan that best meets these needs.

Choose the right Microsoft 365 plan for your healthcare practice

We recommend Microsoft 365 Business Premium. This plan will give you the encryption, archive, and business associate agreement you need if you’re a small healthcare practice. As long as you set it up and use it correctly. 

The other account options don’t offer a private message center, so you can’t communicate securely with clients who don’t have a Microsoft account. 

Is Outlook HIPAA compliant?

Unfortunately, Microsoft doesn’t hand you a HIPAA-compliant cheat sheet. You have to figure out on your own how to make Outlook HIPAA-compliant. And it gets complicated if you aren’t tech-savvy.

We’ve interpreted the Microsoft guides the best we can, so we can give you the best advice on setting up and using Outlook.

Sign up for Microsoft 365 Business Premium

1. Go to Microsoft 365 for business.  Select the Microsoft 365 Business Premium subscription. Be sure to choose the “Try free for 1 month” option if you want the trial. 

07 Try free_Is Outlook

2. Enter your current email address.

Is Outlook HIPAA compliant?

3. Click “Set up account.”

09 Set up account_Is Outlook

4. They’ll want to find out a little more about you and your business.

Is Outlook HIPAA compliant?

5. And they’ll want to make sure that you’re you by giving you a secret code either by text or with a phone call.

Is Outlook HIPAA compliant?

6. Once you get the verification code, enter it in the field.

Is Outlook HIPAA compliant?

At this point, if you haven't purchased your own domain to use, Microsoft will give you something like: MatthewWatsonLCSW5.onmicrosoft.com. 

What is a domain? The domain is the part of your email address after the @ symbol. 

Is Outlook HIPAA compliant?


You can customize the part in front of onmicrosoft.com (e.g., MatthewWatsonLCSW5).

However, if you’re with Hushmail, you can use professional domains like @therapysecure.com, @counselingmail.com, and a few others for free. That’s because Hushmail was built with practitioners like you in mind, not the masses.

7. Next, come up with a strong password. We advise using a random set of memorable words. You might consider a phrase with a specific meaning to you or about a family member, hobby, or personal belief. For example: “chess is very hard” or “anna goes to nursery.” 

Is Outlook HIPAA compliant?

8. Then you’ll be asked to add a payment method. Be sure to make a note of the trial expiration date. You might need to cancel if you decide Outlook doesn’t meet your needs. 

Is Outlook HIPAA compliant?

Is Outlook HIPAA compliant?

Is Outlook HIPAA compliant?

And there you have it. The steps to signing up for your account. You’re on your way!

Sign a Microsoft 365 business associate agreement (BAA)

The first step after you sign into your account for the first time is to find and read the  business associate agreement (BAA)

Is Outlook HIPAA compliant?A note about signing in – you can sign in and get to Outlook either through Microsoft 365 or Office. It’s a little confusing but basically once you’re on a Microsoft page, find the “Sign in to your account” icon in the top right corner. That will get you there.

The BAA affirms that Microsoft will take care of your clients’ information when it’s in their hands.

HIPAA requires that you get a BAA from every business that has access to your clients’ information. Not having one could result in a fine.

"It's important to obtain BAAs from the third-party services you use in your practice, says Steve Youngman, Hushmail's Vice-President of Legal. "But it's equally important to understand that they don't guarantee HIPAA compliance. It's up to you to use the service in a compliant manner."

Youngman quote BAAs don't guarantee HIPAA compliance

Here are the steps to finding and signing the BAA. Get ready, it’s a little hidden… 

1. Sign in to your account. When you first get started, your homepage will look something like this:


Is Outlook HIPAA compliant?

2. Click on the square of dots in the top left corner.

Is Outlook HIPAA compliant? 

3. Find and click on the compliance icon.

 

Is Outlook HIPAA compliant?

4. Once you’re on the compliance page, which is called Microsoft Purview, scroll down the menu on the left and click on “More resources.”

 

Is Outlook HIPAA compliant?

5. Then find and open the Service Trust Portal.

Is Outlook HIPAA compliant?

6. Scroll down until you see “White Papers, FAQs, & Compliance Guides.” Click on those words.

Is Outlook HIPAA compliant?

7. Click on “Compliance Guides.”

 

Is Outlook HIPAA compliant?

8. Scroll down until you find the “MicrosoftHIPAABAA.”

 

27 HIPAA BAA_Is Outlook

You might be asked to sign in to your account again. Once you’re signed in, accept the terms for receiving their BAA. At that point, you’ll either automatically download the BAA or be given the option to download it, depending on your web browser. 

As you can see this wasn’t made for healthcare practitioners needing easy access to their BAA. 

It’s a good idea to read through your BAA to make sure you understand what it covers. Check with your attorney if you’re unsure about anything. Unfortunately, Microsoft won’t customize their BAA.

Get the Outlook license

When you first get a Microsoft 365 account, it doesn’t automatically come with Outlook. You have to assign a license to yourself. 

This is getting pretty technical but hang in there. And don’t worry. If this turns out to be too difficult, there are options besides Outlook that are HIPAA-compliant right out of the box. You won’t need to do any of this. You’ll find out about those later on in the post.

Click on “Assign Products” displayed in the red banner across the top of the page.

If you don’t see that banner, you can reach the correct page through the Microsoft 365 Admin Center. You can access the center by clicking on the Admin icon in the left-hand menu or by clicking on the square of dots. 

Is Outlook HIPAA compliant?

1. Once you’re in the Admin Center, choose “Active users” from the menu on the left. You’ll find this under “Users.”

Is Outlook HIPAA compliant?

2. Click on the three dots next to the user you want to use Outlook (at this point, it’s probably just you) and click on “Manage product licenses.”

Is Outlook HIPAA compliant?

3. Then, turn on Exchange Online, Office for the Web, and SharePoint. 

Is Outlook HIPAA compliant?

Exchange Online - The email server necessary for Outlook to work. It will also provide you with the archive you need for HIPAA compliance.

Office for the Web - The suite of applications containing Outlook.

SharePoint - A collaboration system that lets you easily work with people on your team. This might not be something you need right now. However, you must assign a SharePoint license to assign an Office license. An error will appear if you try to turn on Office and not SharePoint.

Is Outlook HIPAA compliant?

Enable your archive

While you’re in this section, let’s go ahead and enable your archive. You need it for your HIPAA compliance. It’s important to note that the archive is not turned on by default. You have to figure out how to do it yourself. (Really? Why is Microsoft making this so hard?)

1. Click on “Mail.”

Is Outlook HIPAA compliant?

2. Then, click on “Edit Exchange Properties.”

Is Outlook HIPAA compliant?

3. In the left-hand menu, click “mailbox features,” scroll down and find and enable archiving.

 Is Outlook HIPAA compliant?

Set up Outlook for HIPAA compliance

How’s it going so far?

You’ve spent a lot of time setting up your account. You’re almost ready to send your first email, but you’re not quite there yet. You need to set up a few more things to make sure your account is secure. Microsoft has created a guide with all the details: HIPAA/HITECH Act Customer Considerations for Microsoft Office 365 and Microsoft Dynamics CRM Online

Beware. This guide is not for the faint of heart. 😧

Sadly, you still need to dig through a lot of technical information to find what’s important to your practice: 

  • Learn about how the encryption works and where it’s safe to put your clients’ information
  • Set access controls to limit who can access your clients’ information
  • Make sure you’re using strong passwords 
  • Set up two-step verification if you haven’t already

How to use Outlook for HIPAA-compliance

You’re ready to send your first encrypted email! 

1. Open up Outlook by clicking on the Outlook icon in the left-hand menu. If you’ve assigned the correct licenses, this icon should be there now. 

 

Is Outlook HIPAA compliant?

2. Once you’re in Outlook, click on “New message.”

Is Outlook HIPAA compliant?

3. Then click “Encrypt” at the top. You can do this before or after you compose your message. You should consider doing it first so you don’t forget.

Is Outlook HIPAA compliant?

You’ll see this message:

Is Outlook HIPAA compliant?

When you send the message, your client will get an email with a link to your message in the private message center. 

Is Outlook HIPAA compliant?

Your message never actually leaves Microsoft 365, which is why it’s secure. If your client has a Microsoft account, they’ll securely receive and answer your email from their account just as they would any email.

However, if they don’t have a Microsoft account, they’ll need to sign in with Google or with a one-time passcode.

Is Outlook HIPAA compliant?

Finally, you’ve done it! You can read more about how Outlook encryption works here.

Keep in mind that turning on encryption doesn’t automatically make an email HIPAA compliant. It’s up to you to make sure you send it to the right person and don’t include sensitive information in subject lines.

Also, don’t forget that getting a BAA doesn’t automatically mean HIPAA compliance. It’s up to how you use the service. 

Worried you’ll miss something? We put together six quick tips to ensure your emails are truly HIPAA compliant.

Enter your name and email and we’ll send them to you right away.

How to set up the Outlook application for HIPAA compliance

Now that you’ve read all about how to set up Outlook from your Microsoft 365 account, we want to mention another way you can use Outlook securely.

The Outlook application is basically an email reader that you can use with any email account you have. You might have gotten Outlook from purchasing Office years ago. Or maybe it came with your computer. 

If you’re already using the Outlook application on your computer, there’s a very easy way to achieve HIPAA compliance without the rigamarole of signing up for a complicated Microsoft 365 account. Just use it with a separate HIPAA-compliant email service like Hushmail for Healthcare. 

That way, you can keep using the Outlook you’re familiar with and also get the benefits of encryption, archiving, and a BAA.

Advantages of using Outlook for HIPAA-compliance 

Now that we’ve gone through how to make Outlook HIPAA compliant, let’s take a look at the pros and cons.

There are advantages to using Outlook that might make it worth the extra effort it takes to make it HIPAA compliant. 

  • Outlook is familiar
  • Microsoft is a household name
  • A Business Premium account comes with a lot of different services that could be useful. Just make sure you carefully read the BAA to make sure they’re covered under it. Not all of them are – and, therefore, not all of them are HIPAA compliant.

Is Outlook HIPAA compliant?

  • There’s a 30-day trial so you can test it out before committing

Disadvantages of using Outlook and an alternative: Hushmail 

However, there are quite a few disadvantages to using Outlook as well. 

Not purpose-built for healthcare   

Microsoft has been around for a long time and offers a stunning array of tools and services for everyone. But it wasn’t built just for healthcare. The specific tools and information you need for your practice can be difficult to find when they’re mixed in with everything else. Just think about how hard it was to find the BAA.

No special features like practice forms

Microsoft wasn’t built for healthcare and it doesn’t provide healthcare specific features. Such as practice forms. You do get forms with your Microsoft 365 account, but they don’t include templates for the forms you need like informed consent forms and Good Faith Estimates. You use a lot of forms and it would be nice to have these included!

Up to you to figure out HIPAA compliance

The language in the Microsoft HIPAA compliance guide and on the website is confusing and not written for a healthcare practitioner running a busy practice. You can make your account HIPAA compliant, but the setup is complicated, and there isn’t an easy-to-understand cheat sheet. We did our best to make one for you (this blog post). 😄

Requires a domain purchase to look professional

And don’t forget, unless you have your own domain, you’ll need to use what Microsoft gives you. You don’t have the option of other domains like Hushmail’s therapysecure.com or counselingmail.com, among others.

Locks you into a plan for a year

One more thing – once you start using Microsoft, after the 30-day trial you’re stuck with it for a year. There’s no month-to-month plan. That flexibility is nice to have, especially during uncertain economic times.

Is Outlook HIPAA compliant?

Fortunately, there’s Hushmail for Healthcare! A HIPAA-compliant email service built just for healthcare. You don’t have to worry about covering all the bases for making your emails compliant. We’ve already figured it out for you. 

And if you have questions, you have access to a customer success team trained in helping healthcare professionals. 

Unlike Microsoft, Hushmail is always thinking about how it can make things easier for healthcare practices. If a new regulation comes out, like the No Surprises Act, we’re on it, developing the tools you need to comply. 

Take a look at some of the advantages of Hushmail:

  • Built for healthcare 
  • HIPAA compliant out of the box
  • Additional features such as healthcare form templates 
  • Built-in e-signatures
  • Free personalized help, advice, and guidance


Hushmail for Healthcare vs. Microsoft 365 Business Premium (Outlook)

 

Hushmail for Healthcare

Microsoft 365 Business Premium (Outlook)

Business Associate Agreement

Email encryption

Private message center

Built-in archive

Secure healthcare form templates

❌ 

Built-in e-signatures 

Optional

❌ 

Trial

60-day money back guarantee

30-day free trial (credit card information required)

Cost

Starts at $11.99/month 

Starts at $22/month with an annual commitment

 

FAQs about Outlook 

What’s the difference between Microsoft 365 and Office 365?

It’s a bit confusing but Microsoft 365 used to include Office 365. However in 2020, Office 365 was renamed Microsoft 365. Now it’s simply Office as part of a Microsoft 365 subscription.

Is Office the same thing as Outlook?

No. Office is a collection of productivity applications that include the email app called Outlook. You can get it as a one-time purchase that allows you to put the apps on one computer. Or you can get Office as part of a Microsoft 365 subscription that gives you more flexibility as well as upgrades.

Can I use Hushmail with Outlook if I get Outlook through a Microsoft 365 account?

Yes, you can if you download the software to use on your computer. We’ll be happy to help you set this up.

Is a BAA all I need to be HIPAA compliant?

No. As Microsoft clearly states, “By offering a Business Associate Agreement, Microsoft helps support your HIPAA compliance. However, using Microsoft services does not on its own achieve HIPAA compliance. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with your obligations under HIPAA and the HITECH Act.”

Conclusion: So is Outlook HIPAA compliant in 2023?

Outlook can be made to be HIPAA compliant. But the setup is difficult. The problem is that Outlook was made for every business, not just healthcare. This means you’ll never get the special consideration you need as a healthcare practitioner when setting up or using their email. The same problems apply to other popular email providers, like if you try to make Gmail HIPAA-compliant.

It’s far better to go with a service like Hushmail that is built for healthcare. If you love the Outlook email application so much you can’t imagine using something else, that’s OK! You can use Hushmail with it. 

That way, you get to maintain the familiarity of Outlook while getting the HIPAA-compliant benefits of Hushmail for Healthcare.

Learn more about Hushmail for Healthcare


Similar posts