Is Outlook HIPAA compliant? Yes, it can be. However, there are several different Outlooks and choosing the right option and setting it up correctly is complicated.
Maybe you want to know about Outlook because you’re already using it.
Or you avoid email in favor of phone and text but would love to make the shift to email if you only knew how to do it right.
Well, guess what…
Outlook can be HIPAA compliant if you set it up right. However, it might not be the best option for you so we'll give you the pros and cons.
In this article, we're going to explain how to make Outlook HIPAA compliant. Then, we'll show you another option, our healthcare-focused email service – Hushmail for Healthcare.
By the time you get to the end, you'll know if Outlook is for you. And you'll be able to confidently choose the best email service for your practice. Let's get started.
The approach you take depends on how you plan on using Outlook. There are basically three different Outlooks, and they all require a different approach when it comes to HIPAA compliance.
Let’s look at the three main options. You can find different variations of each but for this article, let’s keep it simple.
Outlook.com used to be Hotmail. It’s free, but it isn’t HIPAA compliant. You can’t make it HIPAA compliant because Microsoft won’t sign a business associate agreement for your account. | |
Outlook with a Microsoft 365 subscription can be HIPAA compliant with the right plan if you set it up correctly. | |
The Outlook email application that comes with Office can be HIPAA compliant if you use it with a secure email service like Hushmail for Healthcare. |
The free Outlook.com isn’t an option because it’s not HIPAA compliant. So that leaves us with the Outlook that comes with Microsoft 365 and the Outlook application you use on your computer.
Now that you’ve chosen the Outlook you want to use, let’s take a look at everything you need to do to make it HIPAA compliant. Get comfortable. There are a lot of steps.
Microsoft 365’s HIPAA-compliant email solution can get very elaborate, and there are multiple plans to choose from. If you don’t know what you’re looking for, you might accidentally purchase the wrong one.
For example, their enterprise plans cater to large healthcare organizations with hundreds of employees. They offer a lot of complicated safeguards that are expensive and, fortunately, not necessary for small to medium-sized practices like yours.
You have very different needs.
These are the three most important things to look for when deciding on a HIPAA-compliant email solution:
Encryption makes information unreadable to anyone other than the intended recipients. It’s important to consider the type of encryption an email service provides. Many services use encryption to secure email when it’s moving from the sender to the recipient. However, they don’t always protect the information once it’s in the recipient’s inbox. The best way to do this is with a private message center.
What is a private message center? A private message center is a secure web page where your clients can read and respond to your encrypted emails. Even if they don’t have an encrypted email service themselves. |
An archive helps you meet the HIPAA requirement to demonstrate that you’ve been implementing security safeguards, such as encryption, when communicating online with your clients.
And a business associate agreement (BAA) affirms that an email service accepts responsibility for the safety of your clients' information. With a BAA, you can feel confident that they’ll comply with HIPAA requirements on your behalf.
Let’s take a look at the Microsoft 365 plan that best meets these needs.
We recommend Microsoft 365 Business Premium. This plan will give you the encryption, archive, and business associate agreement you need if you’re a small healthcare practice. As long as you set it up and use it correctly.
The other account options don’t offer a private message center, so you can’t communicate securely with clients who don’t have a Microsoft account.
Unfortunately, Microsoft doesn’t hand you a HIPAA-compliant cheat sheet. You have to figure out on your own how to make Outlook HIPAA-compliant. And it gets complicated if you aren’t tech-savvy.
We’ve interpreted the Microsoft guides the best we can, so we can give you the best advice on setting up and using Outlook.
4. They’ll want to find out a little more about you and your business.
5. And they’ll want to make sure that you’re you by giving you a secret code either by text or with a phone call.
At this point, if you haven't purchased your own domain to use, Microsoft will give you something like: MatthewWatsonLCSW5.onmicrosoft.com.
What is a domain? The domain is the part of your email address after the @ symbol. |
You can customize the part in front of onmicrosoft.com (e.g., MatthewWatsonLCSW5).
However, if you’re with Hushmail, you can use professional domains like @therapysecure.com, @counselingmail.com, and a few others for free. That’s because Hushmail was built with practitioners like you in mind, not the masses.
7. Next, come up with a strong password. We advise using a random set of memorable words. You might consider a phrase with a specific meaning to you or about a family member, hobby, or personal belief. For example: “chess is very hard” or “anna goes to nursery.”
And there you have it. The steps to signing up for your account. You’re on your way!
The first step after you sign into your account for the first time is to find and read the business associate agreement (BAA).
The BAA affirms that Microsoft will take care of your clients’ information when it’s in their hands.
HIPAA requires that you get a BAA from every business that has access to your clients’ information. Not having one could result in a fine.
"It's important to obtain BAAs from the third-party services you use in your practice, says Steve Youngman, Hushmail's Vice-President of Legal. "But it's equally important to understand that they don't guarantee HIPAA compliance. It's up to you to use the service in a compliant manner."
Here are the steps to finding and signing the BAA. Get ready, it’s a little hidden…
1. Sign in to your account. When you first get started, your homepage will look something like this:
5. Then find and open the Service Trust Portal.
You might be asked to sign in to your account again. Once you’re signed in, accept the terms for receiving their BAA. At that point, you’ll either automatically download the BAA or be given the option to download it, depending on your web browser.
As you can see this wasn’t made for healthcare practitioners needing easy access to their BAA.
It’s a good idea to read through your BAA to make sure you understand what it covers. Check with your attorney if you’re unsure about anything. Unfortunately, Microsoft won’t customize their BAA.
When you first get a Microsoft 365 account, it doesn’t automatically come with Outlook. You have to assign a license to yourself.
This is getting pretty technical but hang in there. And don’t worry. If this turns out to be too difficult, there are options besides Outlook that are HIPAA-compliant right out of the box. You won’t need to do any of this. You’ll find out about those later on in the post.
Click on “Assign Products” displayed in the red banner across the top of the page.
If you don’t see that banner, you can reach the correct page through the Microsoft 365 Admin Center. You can access the center by clicking on the Admin icon in the left-hand menu or by clicking on the square of dots.
3. Then, turn on Exchange Online, Office for the Web, and SharePoint.
Exchange Online - The email server necessary for Outlook to work. It will also provide you with the archive you need for HIPAA compliance.
Office for the Web - The suite of applications containing Outlook.
SharePoint - A collaboration system that lets you easily work with people on your team. This might not be something you need right now. However, you must assign a SharePoint license to assign an Office license. An error will appear if you try to turn on Office and not SharePoint.
While you’re in this section, let’s go ahead and enable your archive. You need it for your HIPAA compliance. It’s important to note that the archive is not turned on by default. You have to figure out how to do it yourself. (Really? Why is Microsoft making this so hard?)
1. Click on “Mail.”3. In the left-hand menu, click “mailbox features,” scroll down and find and enable archiving.
How’s it going so far?
You’ve spent a lot of time setting up your account. You’re almost ready to send your first email, but you’re not quite there yet. You need to set up a few more things to make sure your account is secure. Microsoft has created a guide with all the details: HIPAA/HITECH Act Customer Considerations for Microsoft Office 365 and Microsoft Dynamics CRM Online
Beware. This guide is not for the faint of heart. 😧
Sadly, you still need to dig through a lot of technical information to find what’s important to your practice:
You’re ready to send your first encrypted email!
1. Open up Outlook by clicking on the Outlook icon in the left-hand menu. If you’ve assigned the correct licenses, this icon should be there now.
2. Once you’re in Outlook, click on “New message.”
3. Then click “Encrypt” at the top. You can do this before or after you compose your message. You should consider doing it first so you don’t forget.
You’ll see this message:
When you send the message, your client will get an email with a link to your message in the private message center.
Your message never actually leaves Microsoft 365, which is why it’s secure. If your client has a Microsoft account, they’ll securely receive and answer your email from their account just as they would any email.
However, if they don’t have a Microsoft account, they’ll need to sign in with Google or with a one-time passcode.
Finally, you’ve done it! You can read more about how Outlook encryption works here.
Keep in mind that turning on encryption doesn’t automatically make an email HIPAA compliant. It’s up to you to make sure you send it to the right person and don’t include sensitive information in subject lines.
Also, don’t forget that getting a BAA doesn’t automatically mean HIPAA compliance. It’s up to how you use the service.
Worried you’ll miss something? We put together six quick tips to ensure your emails are truly HIPAA compliant.
Enter your name and email and we’ll send them to you right away.
Now that you’ve read all about how to set up Outlook from your Microsoft 365 account, we want to mention another way you can use Outlook securely.
The Outlook application is basically an email reader that you can use with any email account you have. You might have gotten Outlook from purchasing Office years ago. Or maybe it came with your computer.
If you’re already using the Outlook application on your computer, there’s a very easy way to achieve HIPAA compliance without the rigamarole of signing up for a complicated Microsoft 365 account. Just use it with a separate HIPAA-compliant email service like Hushmail for Healthcare.
That way, you can keep using the Outlook you’re familiar with and also get the benefits of encryption, archiving, and a BAA.
Now that we’ve gone through how to make Outlook HIPAA compliant, let’s take a look at the pros and cons.
There are advantages to using Outlook that might make it worth the extra effort it takes to make it HIPAA compliant.
However, there are quite a few disadvantages to using Outlook as well.
Microsoft has been around for a long time and offers a stunning array of tools and services for everyone. But it wasn’t built just for healthcare. The specific tools and information you need for your practice can be difficult to find when they’re mixed in with everything else. Just think about how hard it was to find the BAA.
Microsoft wasn’t built for healthcare and it doesn’t provide healthcare specific features. Such as practice forms. You do get forms with your Microsoft 365 account, but they don’t include templates for the forms you need like informed consent forms and Good Faith Estimates. You use a lot of forms and it would be nice to have these included!
The language in the Microsoft HIPAA compliance guide and on the website is confusing and not written for a healthcare practitioner running a busy practice. You can make your account HIPAA compliant, but the setup is complicated, and there isn’t an easy-to-understand cheat sheet. We did our best to make one for you (this blog post). 😄
And don’t forget, unless you have your own domain, you’ll need to use what Microsoft gives you. You don’t have the option of other domains like Hushmail’s therapysecure.com or counselingmail.com, among others.
One more thing – once you start using Microsoft, after the 30-day trial you’re stuck with it for a year. There’s no month-to-month plan. That flexibility is nice to have, especially during uncertain economic times.
Fortunately, there’s Hushmail for Healthcare! A HIPAA-compliant email service built just for healthcare. You don’t have to worry about covering all the bases for making your emails compliant. We’ve already figured it out for you.
And if you have questions, you have access to a customer success team trained in helping healthcare professionals.
Unlike Microsoft, Hushmail is always thinking about how it can make things easier for healthcare practices. If a new regulation comes out, like the No Surprises Act, we’re on it, developing the tools you need to comply.
Take a look at some of the advantages of Hushmail:
|
||
|
Hushmail for Healthcare |
Microsoft 365 Business Premium (Outlook) |
Business Associate Agreement |
✅ |
✅ |
Email encryption |
✅ |
✅ |
Private message center |
✅ |
✅ |
Built-in archive |
✅ |
✅ |
Secure healthcare form templates |
✅ |
❌ |
Built-in e-signatures |
Optional |
❌ |
Trial |
60-day money back guarantee |
30-day free trial (credit card information required) |
Cost |
Starts at $11.99/month |
Starts at $22/month with an annual commitment |
It’s a bit confusing but Microsoft 365 used to include Office 365. However in 2020, Office 365 was renamed Microsoft 365. Now it’s simply Office as part of a Microsoft 365 subscription.
No. Office is a collection of productivity applications that include the email app called Outlook. You can get it as a one-time purchase that allows you to put the apps on one computer. Or you can get Office as part of a Microsoft 365 subscription that gives you more flexibility as well as upgrades.
Yes, you can if you download the software to use on your computer. We’ll be happy to help you set this up.
No. As Microsoft clearly states, “By offering a Business Associate Agreement, Microsoft helps support your HIPAA compliance. However, using Microsoft services does not on its own achieve HIPAA compliance. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with your obligations under HIPAA and the HITECH Act.”
Outlook can be made to be HIPAA compliant. But the setup is difficult. The problem is that Outlook was made for every business, not just healthcare. This means you’ll never get the special consideration you need as a healthcare practitioner when setting up or using their email. The same problems apply to other popular email providers, like if you try to make Gmail HIPAA-compliant.
It’s far better to go with a service like Hushmail that is built for healthcare. If you love the Outlook email application so much you can’t imagine using something else, that’s OK! You can use Hushmail with it.
That way, you get to maintain the familiarity of Outlook while getting the HIPAA-compliant benefits of Hushmail for Healthcare.