This week on the HIPAA Vault Podcast, we talk about the HIPAA compliance of Outlook!
Transcript:
Adam
Hello and welcome to the HIPAA Vault Show, where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine and I’m joined today by CTO and founder of HIPAA vault, Gil Vidals. Hey, Gil.
Gil
Hey, Adam. Looking forward to another episode?
Adam
Yeah, I’m looking forward to getting into this. So, last week we talked about HIPAA when it comes to Gmail, and is Gmail HIPAA compliant? Today we’re going to talk about Microsoft and specifically Office 365 Outlook. And is that HIPAA compliant? So, a little bit of an intro. Email is obviously a vital tool in modern communications and in the healthcare industry. It plays a crucial role in sharing important information with patients and medical providers to improve the overall healthcare outcomes. However, when it comes to choosing the right email platform, the question of HIPAA compliance often arises. And as a HIPAA compliance service provider ourselves, we frequently receive questions about what’s the best email platform when it comes to HIPAA compliance and security. So, yeah, last week we talked about Gmail, this week we’re talking about Outlook.
Adam
And let’s dive into the question of is Outlook HIPAA compliant? So, Gil, can we unpack this a little bit? Maybe talk about what are the key requirements when it comes to email in general and security for HIPAA?
Gil
Sure, that’s a good place to start. Adam for email, in order to consider HIPAA compliant, the data needs to be protected and the base technology for protecting information is encryption. And that encryption needs to be enabled to ensure that the data is going through an encrypted pipeline. So that’s one area that’s very important. The other one is the retention. HIPAA requires that patient information be held for so many years, depending on the state you’re in. So traditionally or minimum, I’d say, is six years. You want to hold the data for at least six years, but again, check with your state regulators. But you need to have email retention policies that will retain that email long enough. And so that’s another important feature. And then thirdly is the two factor authentication to make sure that’s enabled and working so that you have the adequate protection.
Adam
Okay. And when it comes to Outlook specifically, I’m feeling that this isn’t going to be a simple yes or no answer, but does Outlook fulfill these requirements when.
Gil
It comes to know with all things Microsoft? Adam there is a myriad of licensing. You can get lost. I mean, they’re literally consultants. All they do is consult on licensing. So can you imagine your whole life dedicated to understanding licenses? So, in the Outlook and Microsoft world, they sell different levels of licenses that allow you to have different features. So there’s a license that enables retention and archiving, and I think do you know the name of that license? The actual name of it?
Adam
Yeah, I think it’s called AIP Azure Information Protection.
Gil
That’s right. Okay, and that one is specific for.
Adam
The yeah, it allows me to configure the retention of how long the emails are going to be archived for and then also handles things like it allows you to encrypt the email.
Gil
Okay. Now on top of that, there’s another license that I know that you work with all the time. So besides AIP, what’s the name of the other license.
Adam
The other licenses typically depend on? There’s exchange online. Archiving. That’s another one. So there’s AIP, which handles the security aspects. And then there’s Exchange Online Archiving, which is a license for the actual having the storage for the emails. And then the third one is basically what kind of software you’re going to get. So are you just going to get Outlook on its own or are you going to get Outlook with all the apps? Do you want Words, Excel, or do you want even more fancy apps like Power apps and things like that?
Gil
Saying there are three licenses, and one of them, the last one you mentioned, doesn’t seem like it has a lot to do whether it’s HIPAA or not. It has more to do with what applications you have available, say, in the cloud. But the other two licenses you mentioned earlier, the AIP, Azure Information Protection, and the other one seem pretty important.
Adam
Yeah, when we’re configuring these licenses, we make sure that they’re included by default, regardless of what kind of apps the customer wants to use, whether it’s Outlook or Word or Excel, et cetera, we make sure that AIP is included for HIPAA compliance. I think also important to note is that when you’re using an email, and this goes for Outlook, Gmail, any other email, you want to have it set up at a private domain instead of@gmail.com your Standard or Outlook.com email address. You would need to have it@yourdomain.com for security purposes. Do you have any insight into that, Gil, as to what it is technically on the back end, why you can’t use a@gmail.com or an Outlook.com email address? Is it something to do with how that information is being stored or transferred?
Gil
Well, I know we talked about last week how in Gmail, for example, you can’t use the@gmail.com free domain. You have to purchase a domain, a private domain as you called it, and Acme.com or whatever, you have to purchase that and have that enabled. I mean, technically speaking, any domain can be made HIPAA compliant, but it has more to do with the policies of the owner of that domain. So in the case of these big companies, they decide not to, their free service is going to be limited. They don’t want to provide compliance type of services.
Adam
That brings us on to the Baa. Right, sure. So we offer a Baa when we’re assisting customers, but in turn we have a Baa with the software provider like Microsoft or Google. Yeah, that’s right.
Gil
Right. So I think it behooves our audience to select a provider. When you go with emails, try to do it yourself. Our audiences are either healthcare developers of apps or healthcare professionals. And frankly, it’s just not worthwhile for you to try to go figure all this. Not it’s not worth your time. You really should pick a company and go with them because they will provide the vaa. They’ll enable all the things in the back end. They’re there for you as a frontline support in case something goes wrong. You have questions, of course, in email, we’re talking about costs that are fairly minimal, unlike in the hosting cloud hosting world, that’s a different ballgame. It could cost a lot more. But for email, especially, a lot of customers, they just have two or three email boxes for their whole practice.
Gil
And so that’s a pretty small amount of money. And it’s really better to go with the company that knows what they’re doing. So it’s just peace of mind, right?
Adam
And then on that point to our audience, whether you’re listening or watching, if you have any questions, you can reach out to us at podcast@hipaavault.com, check out our website and you can chat into us, hipaavault.com or you can tweet us at HIPAA hosting. Gil, was there any other considerations that we wanted to mention for Microsoft specifically?
Gil
Well, I think the way the encryption and protection works is flexible and the audience should at least be aware of that flexibility. So for Outlook, it’s possible to encrypt the email based on a keyword in the subject. So let’s say you’re writing an email in the subject. You put the word encrypt, and then you put the subject and then you write your email. So the system will know that when it sees that keyword in the subject, it’ll trigger the encryption and the protection. That’s one way to do it. The other way to do it is say, well, I want my whole domain, Dr. Smith.com, to be protected all the time. So then you don’t have to worry about putting a keyword in the subject. And third way to do it is to say, well, anytime we send an email to StJosephhospital.com, anywhere at StJosephhospital.com, those all must be encrypted. So you’re doing it by the recipient’s domain. Now, there’s many ways to configure it and I think that flexibility could be important to some of the.
Adam
So the AIP as well. AIP license is going to help with that kind of configuration. But like you said, Gil, you don’t have to worry about that. If you reach out to us, we can set this up for you. Sorry, did you have anything else?
Gil
Yeah, just the exchange. Just to clarify, if you could go through that again for our audience. So you talked about the Azure Information Protection license, and then you also talked about Archiving.
Adam
Yeah, Exchange online archiving, as the name would suggest. It’s online archiving for the emails that are being for your email inbox, basically. So you’ve got your main email inbox that stores your emails, and then you have an archive of those emails, which for HIPAA is really important.
Gil
Okay.
Adam
A couple of years down the line, you need to reproduce some documents from a patient record. You can do that easily with the email archiving.
Gil
Okay. Yeah. And email sounds simple. I just get on my computer, send email, but on the back end there’s a lot of moving parts, a lot of technology. And that’s the way technology is supposed to work, right? That’s the whole idea about technology. It might be very complex, but when it works, it just feels right. And email is like that too. You find a good provider and then it seems very smooth and it just seems to work. But that’s important. We want to have peace of mind in terms of that. Security ready?
Adam
Absolutely. Well, I think we’ve covered a fair amount there as to whether Outlook is HIPAA compliant. Please make sure to subscribe, leave us a review wherever you’re watching or listening. And until next time, thanks for stopping by.