Office 365 Boasts HIPAA-Compliant Messaging SystemOffice 365 Boasts HIPAA-Compliant Messaging System
Several universities adopt Microsoft's cloud-based, HIPAA-compliant system in an effort to keep personal health data safer.
October 22, 2012
7 E-Tools To Keep Patients Engaged
7 E-Tools To Keep Patients Engaged (click image for larger view and for slideshow)
Microsoft recently announced that a number of academic institutions and medical schools are adopting Office 365--the company’s next-generation cloud productivity service. The system helps meet security, privacy, and other regulatory requirements mandated by HIPAA.
Universities involved in the adoption of Office 365 include Duke University, Emory University, Thomas Jefferson University, University of Iowa, and University of Washington. Each institution opted for Office 365 after experts from the academic, public, and private sector participated in a joint effort with Microsoft to develop a business associate agreement (BAA) to address HIPAA requirements.
The institutions and medical schools represent approximately 188,000 additional students, faculty, and staff who are using the cloud productivity service. As a result, Microsoft says it now offers the "most comprehensive agreement available to HIPAA-covered entities that manage electronic-protected health information," according to a press release.
Thomas Jefferson University began doing rolling conversions to Office 365 in December 2011 and finished the implementation of the system in March of this year. Doug Herrick, chief information officer at Thomas Jefferson University, told InformationWeek Healthcare the institution worked through a number of options before deciding on Office 365, including a hardware refresh on a previous system and even converting to Google's Gmail. "But the university was looking for a more integrated solution and more collaborative messaging and communication functions that went beyond pure email," he said.
[ For another point of view on PHRs, see Why Personal Health Records Have Flopped. ]
Additionally, the university wasn't able to negotiate a BAA with Google that was specific enough to meet HIPAA requirements. "We needed a service for faculty and staff that could pass by our legal folks and our privacy folks," Herrick explained. "That knocked Gmail out; it was fine for students, but faculty and staff needed a vendor that would sign an agreement with us and have it be relative to HIPAA requirements."
During the process of introducing Office 365, Microsoft ended up crafting a BAA for all participating universities and health systems, and Duke University was a key player in that process. Art Glasgow, chief information officer and vice president of Duke Medicine said in an interview with InformationWeek Healthcare that first and foremost, it's important for health organizations to understand not all BAAs are created equal. For instance, he said, Duke Medicine’s BAA, "is vetted by our compliance and legal [departments] and is one we're sure protects us and our responsibility to our patients."
Glasgow continued, "Working with Microsoft was easier, in my opinion, than working with other vendors in the healthcare space, and that's because Microsoft made an internal decision and a commitment to try to improve their position in this market place. It showed when working with them."
Tracy Futhey, vice president of information technology and chief information officer at Duke University, added a big advantage of approaching a joint BAA in this way was the ability to forgo a "one-on-one process many times over," she said. "Typically, each time a university or medical center wants to do something with a vendor, crafting a BAA [involves] getting attorneys together and haggling one on one," she said.
"In this case, since we had all universities interested in a BAA and in getting email and similar services from Microsoft, we were all able to come up with some common language that we and Microsoft agreed on," she added.
Unlike Thomas Jefferson University, which has already begun its use of Office 365, Duke University has been testing the service for the last several months and is looking forward to fully implementing it this fall. According to Glasgow, the service is requiring the institution to "take two separate environments"--the medical and educational environments--and "merge them into one environment in the cloud."
"We're deeply involved in testing it in both organizations and in both email environments, and now we're moving into the implementation phase," he said. "It's such a good value proposition for us because not only does it break down silos, but it allows us to deliver services important to a university," said Glasgow.
InformationWeek Healthcare brought together eight top IT execs to discuss BYOD, Meaningful Use, accountable care, and other contentious issues. Also in the new, all-digital CIO Roundtable issue: Why use IT systems to help cut medical costs if physicians ignore the cost of the care they provide? (Free with registration.)
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023