HIPAA requirement for email

What HIPAA Requires From Your Email System

Let’s break down the basics of what the HIPAA Security Rule demands from your email setup:

• Encryption — In transit and at rest (your messages + data storage must be secure)
• Access controls — Only authorized users can view emails with PHI
• Audit trails — You need to log access and track activity
• Data loss prevention (DLP) — Prevent emails with PHI from being accidentally sent
• Retention policies — Keep data stored securely for set periods
• Business Associate Agreement (BAA) — With Microsoft AND any other vendors involved

How to Make Microsoft 365 HIPAA-Compliant (Step-by-Step)

If you’re using Microsoft 365 — and you should be — it can absolutely meet HIPAA standards. But it takes some proactive steps:

1. Sign a Business Associate Agreement (BAA) with Microsoft

• This is required for HIPAA-covered entities
• Microsoft’s BAA is available in the Compliance Center

2. Enable Email Encryption

• Use Microsoft Purview to turn on message encryption
• Set rules to automatically encrypt messages with PHI (e.g., words like “patient,” “SSN,” etc.)

3. Set Up Multi-Factor Authentication (MFA)

• Adds a second layer of login security
• Meets HIPAA access control standards

4. Configure Data Loss Prevention (DLP) Policies

• Prevents sensitive information from being emailed or shared externally
• Helps catch user error before it causes a breach

5. Implement Audit Logs + Retention Policies

• Turn on logging for email, Teams, OneDrive, and SharePoint
• Retain communication records for legal and compliance needs (typically 6+ years)