What Are The Top Office365 HIPAA Mistakes

Office365 is a fantastic product, and it can certainly be HIPAA-compliant. But only if you take the time to set everything up the right way for the organization. 

Here the top Office365 HIPAA mistakes that we see organizations make: 

Free Outlook.com is not HIPAA compliant! Unfortunately, Microsoft’s HIPAA Business Associate Agreement (BAA) doesn’t cover their free email. That means there’s no way to make your free Outlook.com compliant with HIPAA. Let me mention that using free email is also unprofessional.

Rushing through the setup.  A proper office365 configuration should take around 3 to 5 hours to do a proper setup to meet compliance with industry best practices.  If you didn’t spend a similar amount of time, there’s more work to do.

Don’t mess up the HIPAA BAA. Did you even read the Microsoft BAA? I doubt it… The BAA is the FIRST step to being HIPAA-compliant. A lot of practices don’t read the BAA, which legally obligates you to make quite a few other changes. You didn’t know that did you? 

Setting up secure email. Just because you bought the secure email package does not make you HIPAA compliant. Sorry, no. Secure email is just one small step in making Office365 HIPAA-compliant.

Logging must be configured. HIPAA mandates that you have logging enabled and this also required for email. We need to know who accesses what just in case of a rogue person or a breach.

Archiving and Backup is a must have. Under the Security Rule, healthcare organizations have to retain electronic communications containing PHI for a minimum of six years..


Ignoring HHS security guidance. A lot of people don’t realize HHS published detailed cybersecurity and ransomware guidance. However you can use it as guidance to make your office365 configuration meet compliance.

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.