Risk
10/22/2012
11:27 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Office 365 Boasts HIPAA-Compliant Messaging System

Several universities adopt Microsoft's cloud-based, HIPAA-compliant system in an effort to keep personal health data safer.

7 E-Tools To Keep Patients Engaged
7 E-Tools To Keep Patients Engaged
(click image for larger view and for slideshow)
Microsoft recently announced that a number of academic institutions and medical schools are adopting Office 365--the company’s next-generation cloud productivity service. The system helps meet security, privacy, and other regulatory requirements mandated by HIPAA.

Universities involved in the adoption of Office 365 include Duke University, Emory University, Thomas Jefferson University, University of Iowa, and University of Washington. Each institution opted for Office 365 after experts from the academic, public, and private sector participated in a joint effort with Microsoft to develop a business associate agreement (BAA) to address HIPAA requirements.

The institutions and medical schools represent approximately 188,000 additional students, faculty, and staff who are using the cloud productivity service. As a result, Microsoft says it now offers the "most comprehensive agreement available to HIPAA-covered entities that manage electronic-protected health information," according to a press release.

Thomas Jefferson University began doing rolling conversions to Office 365 in December 2011 and finished the implementation of the system in March of this year. Doug Herrick, chief information officer at Thomas Jefferson University, told InformationWeek Healthcare the institution worked through a number of options before deciding on Office 365, including a hardware refresh on a previous system and even converting to Google's Gmail. "But the university was looking for a more integrated solution and more collaborative messaging and communication functions that went beyond pure email," he said.

[ For another point of view on PHRs, see Why Personal Health Records Have Flopped. ]

Additionally, the university wasn't able to negotiate a BAA with Google that was specific enough to meet HIPAA requirements. "We needed a service for faculty and staff that could pass by our legal folks and our privacy folks," Herrick explained. "That knocked Gmail out; it was fine for students, but faculty and staff needed a vendor that would sign an agreement with us and have it be relative to HIPAA requirements."

During the process of introducing Office 365, Microsoft ended up crafting a BAA for all participating universities and health systems, and Duke University was a key player in that process. Art Glasgow, chief information officer and vice president of Duke Medicine said in an interview with InformationWeek Healthcare that first and foremost, it's important for health organizations to understand not all BAAs are created equal. For instance, he said, Duke Medicine’s BAA, "is vetted by our compliance and legal [departments] and is one we're sure protects us and our responsibility to our patients."

Glasgow continued, "Working with Microsoft was easier, in my opinion, than working with other vendors in the healthcare space, and that's because Microsoft made an internal decision and a commitment to try to improve their position in this market place. It showed when working with them."

Tracy Futhey, vice president of information technology and chief information officer at Duke University, added a big advantage of approaching a joint BAA in this way was the ability to forgo a "one-on-one process many times over," she said. "Typically, each time a university or medical center wants to do something with a vendor, crafting a BAA [involves] getting attorneys together and haggling one on one," she said.

"In this case, since we had all universities interested in a BAA and in getting email and similar services from Microsoft, we were all able to come up with some common language that we and Microsoft agreed on," she added.

Unlike Thomas Jefferson University, which has already begun its use of Office 365, Duke University has been testing the service for the last several months and is looking forward to fully implementing it this fall. According to Glasgow, the service is requiring the institution to "take two separate environments"--the medical and educational environments--and "merge them into one environment in the cloud."

"We're deeply involved in testing it in both organizations and in both email environments, and now we're moving into the implementation phase," he said. "It's such a good value proposition for us because not only does it break down silos, but it allows us to deliver services important to a university," said Glasgow.

InformationWeek Healthcare brought together eight top IT execs to discuss BYOD, Meaningful Use, accountable care, and other contentious issues. Also in the new, all-digital CIO Roundtable issue: Why use IT systems to help cut medical costs if physicians ignore the cost of the care they provide? (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
10/30/2012 | 3:26:56 AM
re: Office 365 Boasts HIPAA-Compliant Messaging System
It's nice that Microsoft has taken the time and made an effort to address HIPAA concerns, but I wonder how useful this will actually be once implemented. Many systems which run EHRs would probably more value in an integration messaging system inside the EHR itself rather than having to use Office. Having a messaging/communication platform that accessible via web is great, but ultimately having something that requires a new program and window open may be a burden.

Jay Simmons
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio