O365 - managing calendars
-
@Dashrender said:
I guess if Microsoft is signing something saying they are HIPAA compliant, that really is all I need.
My concern grows from the fact that we currently use email between internal users as our way of 'securely' communicating with each other about patients.How does this change?
-
@coliver said:
@Dashrender said:
I guess if Microsoft is signing something saying they are HIPAA compliant, that really is all I need.
My concern grows from the fact that we currently use email between internal users as our way of 'securely' communicating with each other about patients.How does this change?
In theory it doesn't. I simply have to trust in the system MS has that there is no bleed over from one company account to another - which I do trust in, but none the less makes me a bit more concerned when you have things like HIPAA breathing down your neck. So I'm being cautious more than anything.
Many large vendors have had major breaches in recent years - thankfully I don't think MS is among them.
-
@Dashrender said:
In theory it doesn't. I simply have to trust in the system MS has that there is no bleed over from one company account to another - which I do trust in, but none the less makes me a bit more concerned when you have things like HIPAA breathing down your neck. So I'm being cautious more than anything.
Why do you need to trust in that? As a HIPAA concern, that's between Microsoft and the inspectors, right? If MIcrosoft fails, that's their issue. Not that there is any reason for concern, their entire business is built around this. One of the most secure environments in the world. If Microsoft can't do it, no one can expect you to be more secure.
Remember HIPAA in this case would be Microsoft problems and secondly you have done your due diligence by going to the most secure option available. It's doing something other than having Microsoft offload the responsibility and doing the most secure thing that should keep you up at night.
-
I'm a needless worrier at times...
Although I don't believe you are completely out of the woods just because you have a business Agreement (BA) with a provider you use that is housing Personal Health Information (PHI) - in fact I'm pretty sure that I'm suppose to request a result of their own audit to ensure they are doing what they are suppose to be doing.. only after collecting that yearly (though how I'm suppose to know it's valid is beyond me) would I be close to be indemnified.Granted, as you said, this is Microsoft - they want to do it right.
-
@Dashrender said:
I'm a needless worrier at times...
I'd say less of needless worry, HIPAA is a big deal, but definitely worry in the opposite direction that I would have. From a HIPAA perspective I would feel worlds better having to face management or even a court hearing being able to show Microsoft's documentation, possibly having Microsoft attorneys standing there with me and being able to show industry best practices and having gone above and beyond the HIPAA requirements by going for one of the most secure environments available. Nothing is 100% secure, but there is "doing the minimum" and "doing pretty much the most that you could."
If a court is going to fault you for HIPAA on Office 365, they were going to get you no matter what you had done. So while there are certainly cases and reasons to not just "go to hosted" every time for every thing, in a case like this when looking at the HIPAA concerns my worry would be "holding the hot potato" instead of passing that on to Microsoft. Going on premises and being solely responsible for every decision from the storage to the server to the application would be what would worry me far more. Going to Office 365 is what would give me the warm and fuzzies.
-
@Dashrender said:
Although I don't believe you are completely out of the woods just because you have a business Agreement (BA) with a provider you use that is housing Personal Health Information (PHI) - in fact I'm pretty sure that I'm suppose to request a result of their own audit to ensure they are doing what they are suppose to be doing.. only after collecting that yearly (though how I'm suppose to know it's valid is beyond me) would I be close to be indemnified.
That's possible, back when I was doing HIPAA all the time that was not the case but it does get updated regularly.
Knowing that it is valid is likely none of your concern. You can't know that audits are valid more or less by definition. You'd need the auditor to be audited and that auditor audited and so on and so forth.
