Is Microsoft Teams® HIPAA Compliant for Telehealth?

Over the last two years, the US government has relaxed regulations covering the use of video conferencing software for telehealth in an effort to facilitate the increased number of online doctor appointments. New guidelines¹ on HIPAA requirements were released by The Department of Health and Human Services (HHS) in early 2020, which modified HIPAA’s Privacy Rule.
Previously, the requirements dictated that healthcare organizations could only use HIPAA-compliant video conferencing tools for telehealth sessions. However, the Office for Civil Rights began allowing healthcare professionals to use previously disallowed video conferencing tools to provide telehealth as an emergency response to the COVID-19 pandemic.
In the wake of these regulatory changes, organizations have rushed to find a reliable telehealth software provider that meets adequate security standards, all the while navigating confusing messaging regarding whether certain major telecommunications platforms, such as Microsoft Teams®, are HIPAA compliant or not.
Recommended: Is Skype™ HIPAA Compliant?

Comparing Microsoft Teams® Free & Paid Versions for HIPAA Compliance

With the marked increase in the adoption of video conferencing apps by healthcare organizations, you may be asking yourself: Is Microsoft Teams® HIPAA compliant? Microsoft Teams® base version is not a HIPAA-compliant telehealth solution. In a recent white paper² by Microsoft, the company says that users of the Microsoft 365 Cloud® platform, of which Microsoft Teams forms a part, can configure the software to help enable HIPAA security compliance. The white paper explains how to configure Microsoft Office 365® and Microsoft Teams® to achieve compliance with HIPAA’s rules for covered entities. A signed HIPAA Business Associate Agreement (BAA) is also required before any entity can start using Microsoft services to store ePHI.

However, it is important to note that it is the responsibility of the covered entity to ensure that their use of Microsoft Teams® or other software complies with HIPAA rules. Microsoft itself warns in the white paper that incorrect configuration of its software can lead to HIPAA violations. Note that the necessary tools to configure Microsoft 365® and its components to meet HIPAA compliant standards are either paid modular add-ons (adding between $2 and $10 to subscription price per user per add on, at the time of writing) or part of Microsoft 365 Enterprise E5® (the most expensive and comprehensive package, $57/month per user at the time of writing).

When implementing a HIPAA-compliant video conferencing solution, patients should also be required to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portal and telehealth platforms, include:

• Terms of Use
• Communications Consent
• Privacy Policy
• Telehealth Consent

Is Microsoft Teams® HIPAA compliant?

If healthcare providers want to make sure that they are safely following all HIPAA rules regarding security and privacy, they should reconsider the use of the free-to-use version of  Microsoft Teams® as a HIPAA compliant telehealth software.

While Microsoft Teams® can be configured via premium add-ons or using the Enterprise E5 version, organizations should carefully consider the total and long-term expenses, especially if the upgraded licenses are only required by some users in the domain.

Recommended: Is Apple FaceTime® a HIPAA Compliant Telehealth Software Platform

While Microsoft Teams® is not certified by the HSS, experts say this is more due to the fact that HSS does not certify software solutions than any compliance issues with the software itself. In fact, Microsoft offers a BAA³, of which teams count as an in-scope service. However, the provider is responsible for ensuring HIPAA compliance as it pertains to use of the software.

Microsoft Teams® is thus only HIPAA compliant within the correct configuration of the premium package – but there is a better alternative. Leveraging a comprehensive patient engagement platform that provides telehealth, and connects with other solutions along the care journey like scheduling and intake, provides more value to providers and a smoother experience for patients. Bridge’s telehealth solution does just that and is fully HIPAA compliant. The platform allows organizations to use a single platform for all their patient engagement needs, which streamlines workflows, increases patient satisfaction, and improves ROI. Contact us to learn how we can help you deliver a better patient experience with our leading HIPAA-compliant telehealth solution.

DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way to the service providers mentioned in this article.

1. HHS (2022). Individuals’ Right under HIPAA to Access their Health Information. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
2. Microsoft (2019). HIPAA COMPLIANCE MICROSOFT OFFICE 365 AND MICROSOFT TEAMS. [online] Available at: https://www.microsoft.com/en-us/microsoft-365/blog/wp-content/uploads/sites/2/2019/04/HIPAA-Compliance-Microsoft-Office-365-and-Microsoft-Teams.pdf
3. Microsoft (2022). Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HITECH) Act – Microsoft Compliance. [online] learn.microsoft.com. Available at: https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech?view=o365-worldwide