Microsoft Tightens Up Office 365 With HIPAA, EU Data Privacy Protection
Microsoft says it has added compliance to the U.S. Health Insurance Portability and Accountability Act (HIPAA) and European Union data privacy regulations in its Office 365 cloud office-productivity platform.
Under the HIPAA provisions in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, companies must report data breaches within 30 days, and the cloud version of Office 365 now features incident-reporting capabilities.
"When you have a cloud provider like Microsoft, we basically have to run that in parallel and make sure we can report to them any incident, so that they're made aware of it in a reasonable amount of time," Dr. Dennis Schmuland, chief health strategy officer at Microsoft, told eWEEK. Schmuland was named to his current position in a reshuffling of the company's health care IT leadership this past summer.
As required by HIPAA, Office 365 also allows "business associates" to sign contracts specifying how they will use health information and safeguard the data.
In addition to the U.S. privacy guidelines, Microsoft says Office 365 now also complies with the European Commission's Data Protection Directive, in which companies must establish "model clause provisions" to demonstrate that they will protect patient information.
Microsoft has drafted data processing agreements for EU health care customers that include a more detailed data processing agreement than the EU requires.
"We're setting the bar for data protection to help customers meet their compliance requirements," Schmuland said.
The Dec. 14 Office 365 news comes nearly a week after Redmond announced it will transfer a large part of its health care IT business into a joint venture with GE. The new company will develop an interoperable platform on which software vendors can develop clinical applications and embed Lync and SharePoint into the new software, Schmuland said.
"This announcement is a good example of how Microsoft is embedding health capabilities into our existing products and platforms to expand the use and to allow more innovation-so our commitment to health has never been greater," Schmuland said.
Meanwhile, Microsoft has also launched an Office 365 Trust Center site that includes details on privacy and security measures. The Trust Center provides "transparency" on how Microsoft tracks health information and specifies who has administrative access to the data.
Health care providers using Office 365 can now spell out their logging, monitoring, archiving and incident-reporting procedures in the cloud through Microsoft's data centers, rather than on-premise in the client versions of Exchange, Lync, Office and SharePoint, according to Schmuland.
"These are things [health care organizations] would ordinarily implement on-site," he said. "We've now implemented these in our data centers that support Office 365."
Physician practices use Office 365 applications such as instant messaging, document-sharing and video conferencing to collaborate with colleagues and patients in real time.
"We think that with Office 365, that gives these organizations a great platform to communicate and collaborate and work together in real time to deliver the highest quality of care and outcomes," Schmuland said.
Collaboration helps the health care industry transition from pay for service to pay for value, or outcomes (known as accountable care), Schmuland noted. Collaboration and communication lead to a reduction in medical errors, according to Schmuland.
With data breaches in health care rising, using collaboration tools to maintain better accountability for protected health information will be increasing useful, Schmuland suggested.
"We think it's timely for a platform like this that's cloud-based to allow people to work together and deliver better customer service," he said. "Most health environments today-they're really using older forms of communication and collaboration-they get paged and they have to go find a phone."