Business Associate Agreements (BAA) and Microsoft Office 365
Note: This information has been updated, please visit our Microsoft Office 365 page.
Health and Human Services (HHS) defines a Business Associate as, “any entity or person that is not directly employed by a provider, but who works with and on behalf of the provider and has access of the PHI of the provider’s patients.”
Examples of Business Associates include:
- Billing companies
- Collection companies and their attorneys
- Drug and medical suppliers
- Hosted Software and Cloud Service Providers
- IT and Computer techs
- Other Covered Entities performing BA services
For organizations utilizing Microsoft Office 365, a business associate agreement (BAA) is automatically executed with Microsoft for your organization upon activation of license agreement and includes all covered services.
“For Microsoft cloud services: The HIPAA Business Associate Agreement is available via the Online Services Terms by default to all customers who are covered entities or business associates under HIPAA. See ‘Microsoft in-scope cloud services’ on this webpage for the list of cloud services covered by this BAA.” (Health Insurance Portability and Accountability (HIPAA) & HITECH Acts)
As of April 2, 2020, the following services are listed in scope of the agreement: “Office 365 Services, Microsoft Azure Core Services, Microsoft Dynamics 365 Core Services, Microsoft Intune Online Services, Microsoft Power Platform Core Services, and/or Microsoft Cloud App Security, each as defined in the “Data Protection Terms” section of the Online Services Terms incorporated into the Agreement; Microsoft Healthcare Bot; and any additional Azure online services and U.S. Government online services listed as in scope for this BAA on the Microsoft Trust Center at https://www.microsoft.com/en-us/trustcenter/Compliance/HIPAA (or successor site); excluding Previews.”
There is no signature or further action that needs to be taken for the BAA to be implemented. It is available and in place for all organizations who qualify. Please note that Microsoft Office 365 customers are not able to revise or alter the provided agreement. Organizations who are utilizing Microsoft Professional Services should reach out to their customer service representative for more information.
*Excerpt from Microsoft Office 365 BAA as of April 2, 2020
Intraprise Health and Microsoft ensures the safety and liability protection granted from using cloud and hosted service providers holding patient information. Like Microsoft, Intraprise Health provides Business Associate Management (BAM) to our clients to assist in the management of their business associate agreements and documentation. BAM allows full customization and management of BAA contracts to all vendors including requesting proof of compliance. The BAM software is included in the cost of base HIPAA One® licensing at no extra charge.
We hope you will use these tools to help ensure compliance with HIPAA and protect your patient information.