Is Microsoft Teams HIPAA Compliant?

Many still seem to wonder and ask what is Microsoft Teams and is this software questionable for use? This includes compliance and security officers in the Healthcare industry leading them to ask is this HIPAA Compliant? However lets go back to the basics, Microsoft Teams is a cloud platform that combines workplace chat, meetings, notes, and attachments. Microsoft Teams is Microsoft’s was created to be the competitor to Slack and Google Hangouts Chat.

Microsoft Teams and the Business Associate Agreement

I have previously mentioned that their is a office365 Business Associate Agreement which is the written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

I have checked Microsoft’s site and found a page called:

 

Microsoft Teams Security Features

Certification and Compliance

Microsoft created Teams to be fully Office 365 Tier-C compliant, covering such essential standards and models as SOC 1, SOC 2, ISO 27001, and HIPAA. Regarding SOC 2 specifically, Microsoft has this to say:

“SOC 2 is an auditing procedure that … securely manages your data to protect the interests of your organization and the privacy of its clients. ISO 27001 is a security standard that is intended to bring information security under explicit management control. It is one of the most widely recognized certifications for a cloud service. And today, we are proud to join the family of Microsoft cloud services in scope for SOC 2/ISO/IEC 27001.”

While certifications and compliance’s aren’t necessary “features,” the fact that Teams is built to handle data in compliance with standards such as HIPAA means that they take data integrity seriously.

Authentication

Unlike Slack, Microsoft offers many different types of authentication protocols making it harder for external and unauthorized users to gain access. These include organization-wide two-factor authentication, or a single-sign on through Active Directory.

Encryption

Although Microsoft Teams encrypts user data in-transit and at rest, the key difference lies in how this process is controlled. Microsoft uses Active Directory to manage much of these functions which allows IT departments more direct control over their security. As another layer of protection.

Auditing and Reporting

Microsoft Teams offers support for audit log searches within the Office 365 Security and Compliance Center, a critical security feature that is required by HIPAA security. This Auditing and Reporting Feature enables system administrators to quickly identify potential incidents. System Administrators can also set alerts for either workload-specific or generic events and incidents. 

Data Location

Your Microsoft Teams physical data will be located in a datacenter based on your region. This is especially important if you live in an area with stricter data security regulations teams has the flexibility to adjust controls. Microsoft Teams currently supports regional data allocation (using Azure) for users located in the Americas, United Kingdom, Europe Middle East and Africa (EMEA), and APAC.

Customization and Access Permissions

Microsoft Teams allows system administrators to get into the nitty gritty of customization options to make your deployment as secure as you need it to be. Teams automatically confers two security levels to users: Owners and Members. Any user, by default, who creates a new group is considered to be the Owner, and therefore has access to a flexible range of control settings for group members that sets restrictions on everything from viewing content to adding connections, this gives them the opportunity to create a highly-structured control environment over how users access and share data.

In Conclusion

Microsoft Teams is HIPAA compliant capable however you will have to go and time the time to read the BAA and go through all the configurations properly and avoid the mistakes that could come back and bite you during any sort of auditing. 

Leave a Reply