The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires healthcare and health insurance organizations to protect the privacy and security of protected health information (PHI), including electronic PHI (ePHI). The 2009 HITECH Act added a breach notification rule to HIPAA, requiring full disclosure of PHI leaks to both government authorities and the patients involved. HIPAA violations can result in stiff fines and even criminal charges, as well as serious damage to the healthcare organization’s reputation. With Netwrix Auditor you’ll have the required Office 365 audit data readily available — and save valuable IT time to boot.
If your healthcare organization has adopted Office 365, your cloud environment must also meet HIPAA compliance requirements. Auditors will regularly require you to provide evidence that your security controls align with Office 365 HIPAA compliance requirements. In addition, all covered entities under HIPAA need to have business associate agreements (BAAs) in place with all business associates (BAs) that store of their physical and electronic PHI, including their cloud storage service providers. Each BAA should specify technical, administrative, and physical safeguards that should be implemented to maintain the integrity of PHI and prevent data leaks.
Netwrix Auditor can help you establish and maintain proper controls across your Microsoft Office 365 environment and easily prove your HIPAA compliance to auditors.
Each user’s permissions and security roles determine which actions they can perform in Exchange Online and SharePoint Online. Therefore, to prevent security incidents and violations of HIPAA, businesses have to control effective permissions by ensuring that rights are assigned on a need-to-know basis and they are not changed without proper authorization.
There are legitimate business reasons for authorizing a user to access someone else’s mailbox. Nevertheless, to secure email as required by HIPAA, you need to closely monitor the activity of those users, because they can misuse their privileges to copy regulated data or forward it to third parties.
Adopting cloud services changes the dynamics of an IT environment dramatically. If you use Office 365 and Azure AD and need to remain HIPAA compliant, you need to carefully monitor your SharePoint Online and Exchange Online environments for improper changes that could lead to security incidents.
Having a BAA with Microsoft is necessary for HIPAA compliance, but it’s not sufficient. Microsoft is a service provider; keeping your PHI secure is your responsibility. Therefore, you need to carefully watch for suspicious activity in both Exchange Online and SharePoint Online and regularly review your auditing data from different perspectives. During audits – internal and external - Netwrix Auditor’s out-of-the box HIPAA compliance reports will significantly cut time spent on reports preparation.