HIPAA/HITECH Act Implementation Guidance for Microsoft Office 365 and Microsoft Dynamics CRM Online



Similar documents
Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

HIPAA/HITECH Compliance Using VMware vcloud Air

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Microsoft Online Subscription Agreement/Open Program License Agreement Business Associate Amendment Amendment ID MOS13

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

The CIO s Guide to HIPAA Compliant Text Messaging

Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)

Account Restrictions Agreement [ARA] - Required by LuxSci HIPAA Accounts

Overview of the HIPAA Security Rule

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

HIPAA Business Associate Agreement

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

SCDA and SCDA Member Benefits Group

Microsoft Online Services - Data Processing Agreement

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

HIPAA and HITECH Compliance for Cloud Applications

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

efolder White Paper: HIPAA Compliance

HIPAA Compliance Guide

SOOKASA WHITEPAPER HIPAA COMPLIANCE.

My Docs Online HIPAA Compliance

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

HIPAA Privacy & Security White Paper

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Safeguard Protected Health Information With Citrix ShareFile

The Impact of HIPAA and HITECH

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

New HIPAA regulations require action. Are you in compliance?

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

OCR/HHS HIPAA/HITECH Audit Preparation

BUSINESS ASSOCIATE AGREEMENT. Recitals

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

HIPAA PRIVACY AND SECURITY AWARENESS

Datto Compliance 101 1

Vendor Questionnaire

Can You be HIPAA/HITECH Compliant in the Cloud?

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

University Healthcare Physicians Compliance and Privacy Policy

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

HIPAA Privacy & Security Training for Clinicians

HIPAA Compliance Guide

Securing the Cloud Infrastructure

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Somansa Data Security and Regulatory Compliance for Healthcare

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

HIPAA and HITRUST - FAQ

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Protecting Data and Privacy in the Cloud

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Top Ten Technology Risks Facing Colleges and Universities

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

CHIS, Inc. Privacy General Guidelines

Authorized. User Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

Closing the Security Gap Extending Microsoft SharePoint, OCS, and Exchange to Support Secure File Transfer

HIPAA BUSINESS ASSOCIATE AGREEMENT

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Business Associate Management Methodology

Managing Office 365 Identities and Services 20346C; 5 Days, Instructor-led

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Course 20346: Managing Office 365 Identities and Services

Managing Office 365 Identities and Services

COMPLIANCE ALERT 10-12

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

This form may not be modified without prior approval from the Department of Justice.

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Healthcare Compliance Solutions

Implementing HIPAA Compliance with ScriptLogic

HIPAA PRIVACY OVERVIEW

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Transcription:

HIPAA/HITECH Act Implementation Guidance for Microsoft Office 365 and Microsoft Dynamics CRM Online HIPAA 1 and the HITECH Act 2 are U.S. laws that govern the security and privacy of personally identifiable health information stored or processed electronically. This information is referred to as electronic protected health information (ephi). HIPAA refers to healthcare providers, payors and clearing houses that use or process ephi as covered entities. Under HIPAA and the HITECH Act, covered entities must implement mandated physical, technical and administrative safeguards to protect ephi. Certain service providers that store or process ephi on behalf of covered entities are called business associates. Covered entities must ensure that their business associates implement similar security and privacy safeguards. In most circumstances, for a covered healthcare company to use a service like Microsoft Office 365 or Microsoft Dynamics CRM Online, where ephi would be stored or processed, the service provider will be a business associate and must agree in writing to implement required safeguards set out in HIPAA and the HITECH Act. This written agreement is known as a business associate agreement (BAA). This guide was developed to assist customers who are interested in HIPAA and the HITECH Act in understanding the relevant capabilities of Microsoft Office 365 and Microsoft Dynamics CRM Online. The intended audience for this guide includes HIPAA administrators, legal staff, privacy officers, and others in organizations responsible for compliance with HIPAA and the HITECH Act, and implementation of physical, technical and administrative safeguards for protection of ephi. Although Microsoft Office 365 and Microsoft Dynamics CRM can help enable compliance, the ultimate responsibility for using our service and end-to-end compliance with HIPAA and the HITECH Act remains with the covered entity. 1 The Health Insurance Portability and Accountability Act of 1996. 2 The Health Information Technology for Economic and Clinical Health Act. 1

Sections below include: - Microsoft Office 365 and CRM Online Services for Consideration - Responsibilities of the Covered Entity - Signing Business Associate Agreements - Evaluating Service Security and Applying it to a Compliance Program - Understanding ephi on the Service - Procedures for Administrative Access - Handling Security Breaches - Checklist: Five Things To Do - Additional Information Microsoft Office 365 and CRM Online Services for Consideration HIPAA support is currently built into and offered for the following services ONLY: Microsoft Office 365 Plans A1, A2, A3, A4, E1, E2, E3, E4, P1, K1, K2; Exchange Online Plan 1, Plan 2 and Kiosk; Exchange Online Archiving; SharePoint Online Plans 1 and 2; Office Web Apps Plans 1 and 2; and Lync Online Plans 1 and 2. Microsoft Dynamics CRM Online sold through (i) Volume Licensing Programs, including but not limited to volume Licensing SKUs such as DynCRMOnln ALNG SubsVL MVL PerUsr (DSD-00001); and (ii) the Dynamics CRM Online Portal. Dynamics CRM Online Services does not include the Dynamics CRM Mobile Service. Responsibilities of the Covered Entity It is possible to use Microsoft Office 365 and Microsoft Dynamics CRM Online in a way that complies with HIPAA and HITECH Act requirements. However, customers are responsible for their own end-to-end compliance, as Microsoft does not analyze the contents of its customers data, including what ephi Microsoft processes. This means each customer should have its own processes and policies in place to ensure its personnel do not use Microsoft Office 365 and Microsoft Dynamics CRM Online in a way that violates HIPAA and HITECH Act requirements. 2

For example, a HIPAA covered entity may store a patient s ephi on a Microsoft service in a HIPAA-compliant manner. But if a doctor at that covered entity sends the ephi through Exchange Online to a marketer without the patient s permission, the covered entity may violate HIPAA. The subsequent sections are designed to assist you in using the service appropriately, minimizing the risk of non-compliance with HIPAA. Signing Business Associate Agreements To help comply with HIPAA and the HITECH Act, customers may sign written agreements with Microsoft called business associate agreements or BAAs. Microsoft does not require customers to sign BAAs. For Microsoft Office 365 and Microsoft Dynamics CRM Online, customers that have purchased covered services through the Office 365 Portal may go to the HIPAA FAQ to find out how to sign a BAA. Larger customers under an Enterprise Agreement who have a Microsoft account manager may contact their account manager to discuss specifics of the BAA or to arrange to sign one. Customers signing the Enterprise Agreement version of the BAA must designate a HIPAA Administrative Contact. You must email MSO-HIPAA@microsoft.com and designate a HIPAA Administrative Contact after signing the BAA. If you do not do this, Microsoft may be unable to contact you for purposes as described in the BAA (e.g., to notify you in the event of a security breach involving ephi). Prior to signing, you should read this guide and the BAA in full and evaluate for yourself whether you wish to sign the BAA, and place ephi on Microsoft Office 365 and Microsoft Dynamics CRM Online. Again, it is ultimately your responsibility to evaluate whether our services match the requirements of your HIPAA implementation strategy, and to ensure your personnel use these services in a way that complies with HIPAA requirements. Evaluating Service Security and Applying it to a Compliance Program Many of the Microsoft Office 365 and Microsoft Dynamics CRM Online offerings are certified under ISO 27001 by independent auditors. The scope of our ISO 27001 audits includes HIPAA security practices as recommended by the U.S. Department of Health 3

and Human Services. To find out more about certifications for a particular service, you may consult the Microsoft Office 365 Trust Center and Microsoft Dynamics CRM Online Trust Center. Note: The following offerings do not currently meet all recommended security requirements. It is strongly recommended that customers not place ephi on these offerings: - Office 365 SharePoint Online Small Business offering (SKU P ) - Microsoft CRM Dynamics Online administered through means other than the Office 365 Portal. - Microsoft Dynamics CRM Mobile It is ultimately the customer s responsibility to determine the level of security that is appropriate for its requirements. A few specifics that you may wish to evaluate in your consideration of our security practices include the following: - Encryption at rest and in-transit: Microsoft applies encryption-in-transit to transfer of information outside of Microsoft facilities. Encryption-in-transit only applies to information that can be encrypted without interfering with standard internet protocols. This means packet headers and message headers are not encrypted in transit, since that would interfere with delivery of the information. It is strongly recommended that you train and instruct your personnel to follow industry-standard HIPAA security guidance to never put ephi in the from, to, or subject line of an email message. - Two Factor Authentication: Two-factor authentication is not available for customer authentication. Most services employ two-factor authentication for Microsoft s IT Operations team. If you wish to verify two-factor authentication practices on a particular service, you may contact Support to inquire about that service as described below. - Security Configuration: Many services have optional security configurations that allow customers to change security parameters. HIPAA covered entities may wish to set such parameters at their highest security levels. For additional information on managing your ephi to enhanced security, you will want to read the section below on the best ways to configure and use Microsoft Office 365 and Microsoft Dynamics CRM Online. 4

You may also reference the Information Security Policy or the Standard Response to Request for Information Security and Privacy to assist in determining whether the offered services are suitable for your use (current trial or paid customers only; prospective customers may inquire through Office 365 Support regarding reviewing this document). If you have a question about whether a specific security requirement is met for any service, you may contact Microsoft Support. Microsoft will make commercially reasonable efforts to provide the information requested unless providing information at the requested level of specificity would degrade service security. Microsoft Office 365 Support is located here. Microsoft Dynamics CRM Online Support is located here. Understanding ephi on the Service Microsoft processes enterprise customer data subject to detailed processes and controls for security, including ISO 27001 controls. Only certain data sets, however, are designated with the appropriate level of security and privacy to comply with the HIPAA security requirements, as described above. Microsoft strongly recommends that you train your personnel to input ephi only into the appropriately secured and designated areas. The following data-sets or repositories are suitable for uploading ephi: PHI Recommended Data Types Email body Email attachment body SharePoint site content Information in the body of a SharePoint file Lync presentation file body IM or voice conversations CRM entity records 5

Examples of data-sets or repositories not suitable for inclusion of ephi: Examples Include Email headers, including From, To *, or Subject Line Filenames (including filenames of any attachments or uploaded documents on any Service) URLs, or any public SharePoint websites Account, billing, or service configuration data Internet domain names (e.g., fabrikam.com ) User global address list or address book data (including user account holder s name, user name, contact information and address book data)** Support ticket information (information sent directly from customer to support for troubleshooting, or information you request be accessed for Microsoft technical support) * Since it is required for delivery, no email service, cloud or otherwise, will encrypt the to, cc, bcc, or subject lines of an email to a patient. This information will be available in-transit to multiple organizations. Your organization needs to evaluate on its own whether sending an email to a patient reveals ephi, where the rest of the message is not ephi or is encrypted. ** This means the service is likely unsuitable for your organization if you need to give user accounts to patients themselves. For example, the services may not be appropriate for a long-term care facility wishing to give its patients their own Exchange Online email accounts. 6

Procedures for Administrative Access One of the ways that Office 365 and Dynamics CRM Online assist you in controlling access to ephi is by tracking each instance of access to data stored in the data sets or repositories identified as suitable for ephi above. This includes access by Microsoft personnel, partners, or your own administrators. These access reports are available to the covered entity s administrators on request. Microsoft recommends you regularly review these access reports to validate that only approved/appropriate individuals have accessed ephi. For example, individuals designated as administrators have technical ability to access the Exchange Online mailbox of personnel in their organization. If a covered entity has established policies around when an IT administrator can enter into a doctor s mailbox, this report may assist you to verify that these polices are being followed. Instructions on how to obtain these access reports for different services on Office 365 and CRM Dynamics Online are available as on the following web-page in the Trust Center: http://www.microsoft.com/online/legal/v2/?docid=24 Handling Security Breaches Upon becoming aware of a security breach involving ephi, Microsoft will report this to all global administrators on the accounts, all global or technical administrators, or to the individual administrator acting as the HIPAA administrative contact. In addition, because Microsoft does not scan or otherwise interpret customers data stored in the services, Microsoft will likely be aware only that a repository appropriate for storage of ephi has been compromised. The customer will need to determine whether ephi was actually present in the data set subject to a security breach. Microsoft will report information it has developed on ephi involved in a security breach within 30 days of the breach. Microsoft relies on the customer to handle all notifications to affected individuals. For customers who purchase their service through the Office 365 Portals, the administrator who signed the BAA is by default the HIPAA Administrative Contact. To be HIPAA Administrative Contact, this individual should also be designated a Global or Technical Administrator on the account. 7

Customers signing the Enterprise Agreement version of the BAA, must write to MSO- HIPAA@microsoft.com and designate a HIPAA Administrative Contact after signing the BAA, as an additional step. In the event of a security breach, Microsoft cannot guarantee it will be able to contact customers that do not designate a HIPAA Administrative Contact. Customers may change their HIPAA Administrative Contact by writing to MSO- HIPAA@microsoft.com from the account of their prior HIPAA Administrative Contact or any Global Administrator on the account, and including their account name and domain, as well as the name and email address of the new HIPAA Administrative Contact. This person must also be designated the Global or Technical Administrator on the account. Microsoft may also report security breaches generally, at which point the administrators listed in your on-line account may also be informed. However, Microsoft may not report breaches other than to the individual administrator who signed the BAA, where applicable, or to the contact information you provide to MSO-HIPAA@microsoft.com, so it is important to keep that information up to date. Prior to sending a notification, Microsoft will work to contain the breach, analyze its impact, and assess the results. Depending on the nature of the breach, Microsoft may (a) provide customers a preliminary notification followed by subsequent details, or (b) wait until a full review has occurred and notify customers then. In either case, as stated above, Microsoft will notify customers within 30 days. 8

Checklist: Five Things To Do Evaluate: Make sure our security and privacy practices meet your requirements Sign-Up: o For SharePoint Online users requiring encryption-in-transit, make sure you have signed up for the Enterprise SKU. o After you sign-up for the Service, also sign the BAA. o Enterprise Agreement Customers: Designate your HIPAA Administrative Contact at MSO-HIPAA@microsoft.com. Access Control: o Turn on Exchange Administrator Access Tracking, to know when your administrators have accessed user accounts. (instructions) o Turn off CRM Mobile in CRM Dynamics Online. (instructions) o Periodically request and review access control reports for data repositories in which you store ephi Training: o Administrator Training: Train your administrators not to put ephi in address book, directory, or global address list information, nor provide or allow access to ephi during support services or troubleshooting with Microsoft. o User Training: Train your users not to put ephi in email headers, filenames, or public SharePoint sites. Make sure users understand not to email ephi to individuals who do not have the right to view that ephi. Establish Procedures: o Access Control: Make sure to review who has accessed user accounts, changed account passwords, or added themselves to shared resources. o Administrative Contact: As your personnel change, make sure you have updated Microsoft with your HIPAA Administrative Contact at MSO- HIPAA@microsoft.com. 9

Additional Information The following information is not HIPAA-specific, but may assist you in understanding security and privacy in the services more generally to help you plan your HIPAA implementation strategy. - Microsoft Office 365 Trust Center - Microsoft CRM Dynamics Online Trust Center - Microsoft HIPAA White Paper - Microsoft Office 365 Security Whitepaper - Microsoft Office 365 Standard Response Paper Cloud Security Alliance Registry - Microsoft Trustworthy Computing Data Governance Resources Disclaimer This guide is not intended to constitute legal advice. Customers should consult with their own legal counsel regarding compliance with HIPAA, HITECH Act, and other laws and regulations applicable to their particular industry and intended use of Microsoft Office 365, Microsoft CRM Dynamics Online, and other Microsoft products and services. Microsoft makes no warranties, express, implied, or statutory, as to the information in this document. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information