Does Outlook with Office365 Comply with HIPAA Regulations?

Healthcare organizations need to be extremely careful of sending Electronic Protected Health Information (ePHI) across a standard email platform these days. If you choose to disregard HIPAA regulations there will be dire consequences to follow.

Minimum & Maximum Fines

The minimum fine for deliberate violations of HIPAA laws will result in a $50,000 fine, and the maximum by an individual could be upwards of $200,000. So, the big question here is… does Outlook with 365 conform to the laws of HIPAA? Not exactly, but it can be! Following a basic purchase of the platform and even with a signed BAA could leave you sending emails that are NOT compliant with HIPAA regulations.

Here’s What You’ll Need To Attain The Proper Regulations & Comply With HIPAA:

First, you’ll want to purchase the “Office Message Encryption” add-on from Microsoft. This is an additional service you can add to your Outlook email account that’s built on Microsoft Azure Rights Management (Azure RMS). It is part of Azure Information Protection. This includes encryption, identity, and authorization policies to help secure your email.
Second, you’ll want to find a third-party that offers HIPAA compliant email encryption, such as NeoCertified. NeoCertified is an email encryption platform, offering an Outlook plug-in you can use to send data-sensitive emails through Outlook. You can purchase your secure email account at, once purchased go to to access your secure portal. You can then download our Outlook plug-in to start sending secure emails through your Office365 email account.

You May Need A BAA In Place To Comply With The Regulations Of HIPAA

Third, if you are unfamiliar, you may need a BAA in place to comply with the regulations of HIPAA. A BAA is a Business Associate Agreement that every healthcare or establishment dealing with ePHI must have to comply with the regulations of HIPAA and email. If you are a business that uses a third-party to secure your clients’ emails you may need to have a BAA in place with your associated provider.
Another requirement that is necessary to make sure your business is in harmony with the regulations surrounding HIPAA, is to have an email archival service in place. Email archiving is used to store personal records and sensitive information that can easily be searchable from all emails to/from an individual.

Always Take The Necessary Measures To Comply With HIPAA

Taking the necessary measures to comply with the regulations of HIPAA is very important to avoid fines and other lawful actions from the Department of Health and Human Services‘ Office for Civil Rights (OCR). Since introducing the HIPAA Enforcement Rule in March of 2006, the OCR has the right to investigate any associated entity that deals with sending and receiving ePHI. Complying with the laws of HIPAA can definitely be a tricky matter so it’s important to do your research before you start sending and receiving unencrypted emails that contain ePHI. The most important factors of complying with the regulations of HIPAA and email is to protect your clients’ information and implement the correct security measures in making sure a person is whom they say they are. Using two-factor authentication is a great way to protect the security of an individual’s information and urging them to regularly update their login password is crucial to avoid data breaches.

Our Blog

Why Email Security is Important

Why Email Security is Important

The Threat of Data LossThe threat of sensitive data loss is an increasing problem worldwide. We are constantly asked by prospective customers “Why email security is important?” It's very simple... we live in a world that makes us very vulnerable to online predators,...