Is Outlook HIPAA compliant? Yes, it can be. But setting it up correctly can be complicated.
If you already use Outlook in your practice, you might be wondering whether it's safe to use for client communication.
Many healthcare professionals stick with Outlook because it's familiar and part of the tools they already rely on.
The good news is, you don't necessarily have to replace it.
In this article, we'll walk you through what it takes to make Outlook HIPAA-compliant, including setup and limitations to be aware of.
We'll also look at a simpler way to handle secure messages and forms, without changing how you use Outlook for everyday communication.
By the end, you'll have a clear understanding of your options and what will work best for your practice.
The approach you take depends on how you plan to use Outlook. There are three different things people often mean by "Outlook," and each plays a different role in HIPAA compliance.
Let's look at the three main options. You can find different variations of each, but for this article, let's keep it simple.
|
This is Microsoft's free email service (similar to Gmail). It's not HIPAA compliant because Microsoft does not offer a Business Associate Agreement (BAA) for personal accounts. That said, many healthcare professionals still use it for everyday communication, and use a separate secure messaging solution when they need to send sensitive information. |
|
|
This is Microsoft's paid service for businesses. It can be made HIPAA compliant if you choose the right plan and configure it correctly. |
|
|
The Outlook email application, which comes with Office, is simply a tool for accessing your email. It's not an email service itself, and it doesn't determine whether your messages are HIPAA compliant. |
So when people ask whether Outlook is HIPAA-compliant, they're usually referring to Microsoft 365. But even then, getting it set up correctly takes some work.
Setting up Outlook to meet HIPAA requirements takes time and careful configuration.
We'll walk you through the key steps so you can understand what's involved and decide whether this approach is right for your practice.
We'll also look at a simpler way to handle secure messaging later on.
Setting up Outlook (Microsoft 365) to meet HIPAA requirements can take some time. There are multiple plans and settings to choose from, and it's not always clear which ones you need.
To keep things simple, here are the three key things to look for in a HIPAA-compliant email setup:
Encryption makes information unreadable to anyone other than the intended recipient.
It's important to understand how your email provider protects messages, both while they're being sent and after they're delivered.
Some services protect messages in transit, but once the message reaches your client's inbox, that protection may not continue.
If you'd like to understand how email encryption protects messages at different stages, you can read more about email encryption.
How secure messages are delivered
With secure messaging, sensitive information is not sent as a regular email.
Instead, your client receives a notification and clicks a secure link to view the message.
They can read, reply, and complete forms on a secure page.
They do not need a paid account to access it.
Learn more about how secure messages work.
An archive helps you meet the HIPAA requirement to demonstrate that you've been implementing security safeguards, such as encryption, when communicating online with your clients.
And a Business Associate Agreement (BAA) affirms that an email service accepts responsibility for the safety of your clients' information. With a BAA, you can feel confident that they'll comply with HIPAA requirements on your behalf.
Let's take a look at the Microsoft 365 plan that best meets these needs.
We recommend Microsoft 365 Business Premium for most small healthcare practices. It includes the features needed to support HIPAA compliance, such as encryption, archiving, and a Business Associate Agreement (BAA), when set up correctly.
Other plans may not include all of these features or may require additional configuration.
Unfortunately, Microsoft doesn't hand you a HIPAA-compliant cheat sheet. You have to figure out how to make Outlook HIPAA-compliant on your own. And it gets complicated if you aren't tech-savvy.
We've interpreted the Microsoft guides the best we can, so we can give you the best advice on setting up and using Outlook.
1. Go to Microsoft 365 for business. Select the Microsoft 365 Business Premium subscription. Be sure to choose the "Try free for 1 month" option if you want to try it.
2. Enter your current email address.
3. Click "Set up account."
4. They'll want to find out a little more about you and your business.
5. And they'll want to make sure that you're you by giving you a secret code, either by text or with a phone call.
6. Once you get the verification code, enter it in the field.
At this point, if you haven't purchased your own domain, Microsoft will give you something like MatthewWatsonLCSW5.onmicrosoft.com.
What is a domain? The domain is the part of your email address after the @ symbol.
You can customize the part before onmicrosoft.com (e.g., MatthewWatsonLCSW5) or connect your own domain (like yourpractice.com) to create a more professional email address.
7. Next, come up with a strong password. We advise using a random set of memorable words. You might consider a phrase with a specific meaning to you or about a family member, hobby, or personal belief. For example: "chess is very hard" or "anna goes to nursery."
8. Then you'll be asked to add a payment method. Be sure to note the trial expiration date. You might need to cancel if you decide Outlook doesn't meet your needs.
And there you have it. The steps to signing up for your account. You're on your way!
The first step after you sign into your account for the first time is to find and read the Business Associate Agreement (BAA).
A note about signing in β you can sign in and get to Outlook either through Microsoft 365 or Office. It's a little confusing, but basically, once you're on a Microsoft page, find the "Sign in to your account" icon in the top right corner. That will get you there.
The BAA affirms that Microsoft will protect your clients' information when it's in its hands.
HIPAA requires that you get a BAA from every business that has access to your clients' information. Not having one could result in a fine.
"It's important to obtain BAAs from the third-party services you use in your practice. But it's equally important to understand that they don't guarantee HIPAA compliance. It's up to you to use the service in a compliant manner."
Steven O. Youngman, VP of Legal and Compliance at Hushmail
Here are the steps to finding and signing the BAA. Get ready, it's a little hiddenβ¦
1. Sign in to your account. When you first get started, your homepage will look something like this:
2. Click on the square of dots in the top left corner.
3. Find and click on the compliance icon.
4. Once you're on the compliance page, which is called Microsoft Purview, scroll down the menu on the left and click on "More resources."
5. Then find and open the Service Trust Portal.
6. Scroll down until you see "White Papers, FAQs, & Compliance Guides." Click on those words.
7. Click on "Compliance Guides."
8. Scroll down until you find the "MicrosoftHIPAABAA."
You might be asked to sign in to your account again. Once you're signed in, accept the terms for receiving their BAA. At that point, you'll either automatically download the BAA or be prompted to download it, depending on your web browser.
As you can see, this wasn't designed for healthcare practitioners who need easy access to their BAA.
It's a good idea to read through your BAA to make sure you understand what it covers. Check with your attorney if you're unsure about anything. Unfortunately, Microsoft won't customize its BAA.
When you first get a Microsoft 365 account, it doesn't automatically come with Outlook. You have to assign a license to yourself.
π This is getting pretty technical, but hang in there. If this proves too difficult, there are options besides Outlook that are HIPAA-compliant right out of the box. You won't need to do any of this. You'll find out about those later on in the post.
Click "Assign Products" in the red banner at the top of the page.
If you don't see that banner, you can navigate to the correct page in the Microsoft 365 Admin Center. You can access the center by clicking the Admin icon in the left-hand menu or the square of dots.
1. Once you're in the Admin Center, choose "Active users" from the menu on the left. You'll find this under "Users."
2. Click on the three dots next to the user you want to use Outlook (at this point, it's probably just you) and click on "Manage product licenses."
3. Then, turn on Exchange Online, Office for the Web, and SharePoint.
Exchange Online - The email server necessary for Outlook to work. It will also provide you with the archive you need for HIPAA compliance.
Office for the Web - The suite of applications containing Outlook.
SharePoint - A collaboration system that lets you easily work with people on your team. This might not be something you need right now. However, you must assign a SharePoint license to assign an Office license. An error will appear if you try to turn on Office and not SharePoint:
While you're in this section, let's go ahead and enable your archive. You need it for your HIPAA compliance. It's important to note that the archive is not turned on by default. You have to figure out how to do it yourself. (Really? Why is Microsoft making this so hard?)
1. Click on "Mail."
2. Then, click on "Edit Exchange Properties."
3. In the left-hand menu, click "mailbox features," scroll down, and find and enable archiving.
How's it going so far?
You've spent a lot of time setting up your account. You're almost ready to send your first email, but you're not quite there yet. You need to set up a few more things to make sure your account is secure. Microsoft has created a guide with all the details: HIPAA/HITECH Act Customer Considerations for Microsoft Office 365 and Microsoft Dynamics CRM Online
Beware. This guide is not for the faint of heart. π§
Sadly, you still need to dig through a lot of technical information to find what's important to your practice:
You're ready to send your first encrypted email!
1. Open up Outlook by clicking on the Outlook icon in the left-hand menu. If you've assigned the correct licenses, this icon should be there now.
2. Once you're in Outlook, click on "New message."
3. Then click "Encrypt" at the top. You can do this before or after you compose your message. You should consider doing it first, so you don't forget.
You'll see this message:
When you send the message, your client will receive an email with a link to view it on a secure web page.
Your message never actually leaves Microsoft 365, which is why it's secure. If your client has a Microsoft account, they'll securely receive and reply to your email from their account, just as they would with any email.
However, if they don't have a Microsoft account, they'll need to sign in with Google or with a one-time passcode.
Finally, you've done it! You can read more about how Outlook encryption works here.
Keep in mind that turning on encryption doesn't automatically make an email HIPAA compliant. It's up to you to make sure you send it to the right person and don't include sensitive information in subject lines.
Also, don't forget that getting a BAA doesn't automatically mean HIPAA compliance. It depends on how you use the service.
Worried you'll miss something? We put together 6 quick tips to ensure your emails are truly HIPAA compliant.
Enter your name and email, and we'll send them to you right away.
Now that we've gone through how to make Outlook HIPAA compliant, let's take a look at the pros and cons.
There are advantages to using Outlook that might make the extra effort to make it HIPAA-compliant worthwhile.
However, there are several disadvantages to using Outlook as well.
Microsoft has been around for a long time and offers a stunning array of tools and services for everyone. But it wasn't built just for healthcare. The specific tools and information you need for your practice can be difficult to find when they're mixed in with everything else. Just think about how hard it was to find the BAA.
Microsoft wasn't built for healthcare, and it doesn't provide healthcare-specific features. Such as practice forms. You do get forms with your Microsoft 365 account, but they don't include templates for the forms you need, like intake forms or Good Faith Estimates. You use a lot of forms, and it would be nice to have these included!
The language in the Microsoft HIPAA compliance guide and on the website is confusing and not written for a healthcare practitioner running a busy practice. You can make your account HIPAA compliant, but the setup is complicated, and there isn't an easy-to-understand cheat sheet. We did our best to make one for you (this blog post). π
If you want a more professional email address than the default onmicrosoft.com address, you'll need to use your own domain (like yourpractice.com).
This usually means purchasing a domain and connecting it to your Microsoft 365 account.
One more thing β once you start using Microsoft, after the 30-day trial, you're stuck with it for a year. There's no month-to-month plan, which is a nice-to-have flexibility.
Setting up Outlook for HIPAA compliance can take time, and there are several steps to manage along the way.
Because of this, many healthcare professionals choose a simpler approach.
They continue using Outlook for everyday communication, and use Hushmail for sending secure messages and forms.
Hushmail is built for healthcare, so you don't need to worry about configuring encryption, archiving, or compliance settings yourself.
As regulations change, Hushmail continues to update its tools to help healthcare practices stay compliant, so you don't have to keep up with every new requirement on your own.
If you ever need help, you can reach a real person who understands healthcare and can guide you through it.
Take a look at some of the advantages of using Hushmail:
| Hushmail for secure client communication alongside Outlook | ||
|---|---|---|
| Hushmail for Healthcare | Outlook | |
| Business Associate Agreement | β Included | β Available |
| Message delivery | Secure link | Regular email or secure link (when encrypted) |
| HIPAA compliance setup | β Included | Requires configuration |
| Secure healthcare form templates | β Included | β Not included |
| Built-in e-signatures | β Included | β Not included |
| Customer support | Real people who understand healthcare | Standard support |
| Trial | 14-day free trial | 30-day free trial |
| Cost | Starts at /month | Starts at $22/month with an annual commitment |
It's a bit confusing, but Microsoft 365 used to include Office 365. However, in 2020, Office 365 was renamed Microsoft 365. Now it's simply Office as part of a Microsoft 365 subscription.
No. Office is a collection of productivity applications that includes the email app called Outlook. You can get it as a one-time purchase that lets you install the apps on one computer. Or you can get Office as part of a Microsoft 365 subscription, which offers more flexibility and access to upgrades.
No. As Microsoft clearly states, "By offering a Business Associate Agreement, Microsoft helps support your HIPAA compliance. However, using Microsoft services does not, on its own, achieve HIPAA compliance. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with your obligations under HIPAA and the HITECH Act."
Outlook can be made HIPAA compliant, but it takes time and careful setup.
For many healthcare professionals, it's easier to keep using Outlook for everyday communication and use a separate solution for sending sensitive information.
Hushmail is designed for secure messaging and forms, so you can send messages and forms without configuring encryption or managing compliance settings yourself.
This approach lets you keep the tools you're familiar with while ensuring your client communication stays protected.