Staff Agreements

To ensure compliance with HIPAA, please sign that you agree to comply with the standards set forth in this BAA Business Associate Agreement and HIPAA Implementation Guide. These agreements allow our services with Microsoft Office 365 to be HIPAA compliant. Once these are signed and the infrastructure is complete, we will give you access to the services such as email and calendar.

There are two forms on this page to complete. Please make sure you read, review, and sign the BAA Business Associate Agreement and the HIPAA Compliance Implementation Guide.

What is PHI or ePHI?

Electronic protected health information or ePHI is defined in HIPAA regulation as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media.

Essentially, all health information is considered PHI when it includes individual identifiers. Demographic information is also considered PHI under HIPAA Rules, as are many common identifiers such as patient names, gender, ethnicity, insurance details, and birth dates, when they are linked with health information.

Examples of PHI

First and Last Names (Examples: Jane Doe, Jane D.)
Any dates (except years) that are directly related to an individual
Telephone number
Social Security numbers
Driver’s license numbers

BAA Business Associate Agreement

Step 1 of 4

HIPAA BAA Business Associate Agreement
You can view this document by following this link http://aka.ms/baa
If Customer is a Covered Entity or a Business Associate and includes Protected Health Information in Customer Data, FastTrack Data, or Professional Services Data, this HIPAA Business Associate Agreement (“BAA”) is incorporated upon execution of an agreement (“Agreement”) that: (i) includes the Online Services Data Protection Addendum, or (ii) incorporates this BAA and the Microsoft Professional Services Data Protection Addendum by reference through a work order for Professional Services. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control.
1. Definitions.
Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.

“Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.

“Business Associate” shall have the same meaning as the term “business associate” in 45 CFR § 160.103 of HIPAA.

“Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR § 160.103 of HIPAA.

“Customer”, for this BAA only, means Customer and its Affiliates.

“FastTrack Data” means all data, including all text, sound, video, or image files, and software, that are provided to Microsoft by or on behalf of Customer for Microsoft’s performance of the FastTrack Services.

“FastTrack Services” means the onboarding and migration services for Office 365 Services specified as being in scope for this BAA on the FastTrack Center BAA site at http://aka.ms/FastTrackBAA (or successor site); and (2) Dynamics 365 Core Services and Microsoft Power Platform Core Services; that are provided to Customer by Microsoft in connection with Customer’s Microsoft Online Services subscription, excluding services that are performed using third-party software or software that is not hosted by Microsoft.

“HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.

“Microsoft BAA-Scope Services”, for this BAA only, means the Core Online Services as defined in the Online Services Terms incorporated into the Agreement; Azure Health Bot; and any additional Azure online services and U.S.

Government online services listed as in scope for this BAA on the Microsoft Trust Center at https://docs.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech (or successor site); excluding Previews.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information.

“Professional Services” means the following services provided under an Enterprise Services Work Order: (a) professional planning, advice, guidance, data migration, deployment and solution/software development services provided by Microsoft Consulting Services (“Consulting Services”); and (b) Microsoft Unified Support or Premier Support Services as described in the Services Consulting and Support Description or the Description of Services, respectively, which consist of professional technical software support services provided by Microsoft that help customers identify and resolve issues in their information technology environment (“Support Services”). Additionally, Professional Services includes (c) services provided under a Microsoft Business Support Services Work Order. The Professional Services do not include the Online Services.

“Professional Services Data” means all data, including all text, sound, video, image files or software, that are provided to Microsoft, by or on behalf of a Customer (or that Customer authorizes Microsoft to obtain from an Online Service) or otherwise obtained or processed by or on behalf of Microsoft through an engagement with Microsoft to obtain Professional Services.

“Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of HIPAA, provided that it is limited to such protected health information that is received by Microsoft from, or created, received, maintained, or transmitted by Microsoft on behalf of, Customer (a) through the use of the Microsoft BAA-Scope Services, (b) for Microsoft’s performance of the FastTrack Services, or (c) through Microsoft’s provision of Professional Services.

“Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information.

2. Permitted Uses and Disclosures of Protected Health Information.
a. Performance of the Agreement. Except as otherwise limited in this BAA, Microsoft may Use and Disclose Protected Health Information for, or on behalf of, Customer as specified in the Agreement; provided that any such Use or Disclosure would not violate HIPAA if done by Customer, unless expressly permitted under paragraph b of this Section.
b. Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Microsoft may Use and Disclose Protected Health Information for the proper management and administration of Microsoft and/or to carry out the legal responsibilities of Microsoft, provided that any Disclosure may occur only if: (1) Required by Law; or (2) Microsoft obtains written reasonable assurances from the person to whom the Protected Health Information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies Microsoft of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached.
3. Responsibilities of the Parties with Respect to Protected Health Information.
a. Microsoft’s Responsibilities. To the extent Microsoft is acting as a Business Associate, Microsoft agrees to the following:
(i) Limitations on Use and Disclosure. Microsoft shall not Use and/or Disclose the Protected Health Information other than as permitted or required by the Agreement and/or this BAA or as otherwise Required by Law. Microsoft shall not disclose, capture, maintain, scan, index, transmit, share or Use Protected Health Information for any activity not authorized under the Agreement and/or this BAA. Microsoft BAA-Scope Services, FastTrack Services, and Professional Services shall not use Protected Health Information for any advertising, Marketing or similar commercial purpose of Microsoft or any third party. Microsoft shall not violate the HIPAA prohibition on the sale of Protected Health Information. Microsoft shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.

(ii) Safeguards. Microsoft shall: (1) use reasonable and appropriate safeguards to prevent Use and Disclosure of Protected Health Information other than as permitted in Section 2 herein; and (2) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule.

(iii) Reporting. Microsoft shall report to Customer: (1) any Use and/or Disclosure of Protected Health Information that is not permitted or required by this BAA of which Microsoft becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of Customer’s Unsecured Protected Health Information that Microsoft may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than seventy-two (72) hours after Microsoft’s discovery of a Breach. Taking into account the level of risk reasonably likely to be presented by the Use, Disclosure, Security Incident, or Breach, the timing of other reporting will be made consistent with Microsoft’s and Customer’s legal obligations.

For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Microsoft’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Notification(s) under this Section, if any, will be delivered to contacts identified by Customer pursuant to Section 3b(ii) (Contact Information for Notices) of this BAA by any means Microsoft selects, including through e mail. Microsoft’s obligation to report under this Section is not and will not be construed as an acknowledgement by Microsoft of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.

(iv) Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Microsoft shall require its Subcontractors who create, receive, maintain, or transmit Protected Health Information on behalf of Microsoft to agree in writing to: (1) the same or more stringent restrictions and conditions that apply to Microsoft with respect to such Protected Health Information; (2) appropriately safeguard the Protected Health Information; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Microsoft remains responsible for its Subcontractors’ compliance with obligations in this BAA.
Microsoft's Responsibilities (continued)

(v) Disclosure to the Secretary. Microsoft shall make available its internal practices, records, and books relating to the Use and/or Disclosure of Protected Health Information received from Customer to the Secretary of the Department of Health and Human Services for purposes of determining Customer’s compliance with HIPAA, subject to attorney-client and other applicable legal privileges. Microsoft shall respond to any such request from the Secretary in accordance with: (i) for Customer Data or FastTrack Data, the Section titled “Disclosure of Processed Data” within the Online Services Data Protection Addendum, or (ii) for Professional Services Data, the Section titled “Disclosure of Professional Services Data” within the Professional Services Data Protection Addendum.

(vi) Access. The parties acknowledge and agree that Microsoft does not maintain Protected Health Information in a Designated Record Set for Customer. In the event that there is a change in the Microsoft BAA-Scope Services, FastTrack Services, or Professional Services that Microsoft provides to Customer such that Microsoft commences maintaining Protected Health Information in a Designated Record Set, then Microsoft, at the request of Customer, shall within fifteen (15) days make access to such Protected Health Information available to Customer in accordance with 45 CFR § 164.524 of the Privacy Rule.

(vii) Amendment. Subject to Section 3.a.vi above, if Microsoft maintains Protected Health Information in a Designated Record Set for Customer, then Microsoft, at the request of Customer, shall within fifteen (15) days make available such Protected Health Information to Customer for amendment and incorporate any reasonably requested amendment in the Protected Health Information in accordance with 45 CFR § 164.526 of the Privacy Rule. (viii) Accounting of Disclosure. Microsoft, at the request of Customer, shall within thirty (30) days make available to Customer such information relating to Disclosures made by Microsoft as required for Customer to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.

(ix) Performance of a Covered Entity’s Obligations. To the extent Microsoft is to carry out a Covered Entity obligation under the Privacy Rule, Microsoft shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligation.

b. Customer Responsibilities.
Battlefield Ministries Staff and Contractors
(i) No Impermissible Requests. Customer shall not request Microsoft to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).

(ii) Contact Information for Notices. Customer hereby agrees that any reports, notification, or other notice by Microsoft pursuant to this BAA will be provided as set forth in the Agreement.

(iii) Safeguards and Appropriate Use of Protected Health Information. Customer is responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation, it is Customer’s obligation to:
1) Not include Protected Health Information in: (1) information Customer submits to technical support personnel through a technical support request or to community support forums outside of Professional Services, or, for Professional Services, within the subject or body of a support case management or support ticket; and (2) Customer’s address book or directory information. In addition, Microsoft does not act as, or have the obligations of, a Business Associate under HIPAA with respect to Customer Data, FastTrack Data, or Professional Services Data once it is sent to or from Customer outside Microsoft BAA-Scope Services, FastTrack Services, or Professional Services over the public Internet, or if Customer fails to follow applicable instructions regarding physical media transported by a common carrier.

2) During use of Microsoft BAA-Scope Services or in an engagement with Microsoft to obtain Professional Services or FastTrack Services, implement privacy and security safeguards in the systems, applications, and software that Customer controls, configures, and uploads.
Do you understand Safeguards and Appropriate Use of Protected Health Information?
Please Initial
4. Applicability of BAA.
This BAA is applicable to Microsoft BAA-Scope Services, FastTrack Services, and Professional Services. Microsoft may, from time to time, (a) include additional Microsoft online services on the Microsoft Trust Center and/or in the Online Services Data Protection Addendum incorporated into the Agreement or additional FastTrack Services on the FastTrack Center BAA site, and (b) update the definition of Microsoft BAA-Scope Services, FastTrack Services, and Professional Services in this BAA, and such updated definitions will apply to Customer without additional action by Customer. It is Customer’s obligation to not store or process in an online service, or provide to Microsoft for performance of a professional service, protected health information (as that term is defined in 45 CFR § 160.103 of HIPAA) until this BAA is effective as to the applicable service.

5. Term and Termination.
a. Term. This BAA shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in Section 5.b., below, or (2) expiration of Customer’s Agreement.

b. Termination for Breach. Upon written notice, either Party immediately may terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.

c. Return, Destruction, or Retention of Protected Health Information Upon Termination. Upon expiration or termination of this BAA, Microsoft shall return or destroy all Protected Health Information in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement. If it is not feasible to return or destroy any portions of the Protected Health Information upon termination of this BAA, then Microsoft shall extend the protections of this BAA, without limitation, to such Protected Health Information and limit any further Use or Disclosure of the Protected Health Information to those purposes that make the return or destruction infeasible for the duration of the retention of the Protected Health Information.
6. Miscellaneous.
a. Interpretation. The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged. Any captions or headings in this BAA are for the convenience of the Parties and shall not affect the interpretation of this BAA.

b. Amendments; Waiver. This BAA may not be modified or amended except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.

c. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

d. Severability. In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.

e. No Agency Relationship. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Customer and Microsoft under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render Microsoft an agent of Customer.
Do you agree to abide by the terms of this BAA agreement?
Please sign below
Signature
Name
This field is for validation purposes and should be left unchanged.

Please complete all four pages of the BAA (above) before beginning the next form.

HIPAA Compliance Implementation Guide

Step 1 of 7

HIPAA/HITECH Act Customer Considerations for Microsoft Office 365 and Microsoft Dynamics CRM Online
This form can be viewed at this link http://go.microsoft.com/fwlink/?linkid=257510
HIPAA1 and the HITECH Act2 are U.S. laws that govern the security and privacy of individually identifiable health information stored or processed electronically. This information is referred to as electronic protected health information (ePHI). HIPAA refers to healthcare providers, payors and clearinghouses that use or process ePHI as covered entities. Under HIPAA and the HITECH Act, covered entities must implement mandated physical, technical and administrative safeguards to protect ePHI. Certain service providers that store or process ePHI on behalf of covered entities are called business associates. Covered entities must ensure that their business associates implement similar security and privacy safeguards. For a covered healthcare company to use a service like Microsoft Office 365 or Microsoft Dynamics CRM Online, where ePHI would be stored or processed, the service provider will be a business associate and must agree in writing to implement required safeguards set out in HIPAA and the HITECH Act. This written agreement is known as a business associate agreement (BAA). 1 The Health Insurance Portability and Accountability Act of 1996. 2 The Health Information Technology for Economic and Clinical Health Act.

This guide was developed to assist customers who are interested in HIPAA and the HITECH Act in understanding the relevant capabilities of Microsoft Office 365 and Microsoft Dynamics CRM Online. The intended audience for this guide includes HIPAA administrators, legal staff, privacy officers, and others in organizations responsible for compliance with HIPAA and the HITECH Act, and implementation of physical, technical and administrative safeguards for protection of ePHI.

Although Microsoft Office 365 and Microsoft Dynamics CRM can help enable compliance, the ultimate responsibility for using our service and end-to-end compliance with HIPAA and the HITECH Act remains with the covered entity.
Sections include:
- Microsoft Office 365 and Microsoft Dynamics CRM Online Services for Consideration - Responsibilities of the Covered Entity - Business Associate Agreements - Evaluating Service Security and Applying it to a Compliance Program - Understanding ePHI on the Service - Procedures for Administrative Access - Handling Security Breaches - Checklist: Five Things to Do - Additional Information
Microsoft Office 365 and Microsoft Dynamics CRM Online Services for Consideration
HIPAA support is currently built into and offered for the following services ONLY: Microsoft Office 365 Services as defined in the HIPAA Business Associate Agreement. Microsoft Dynamics CRM Online sold through (i) Volume Licensing Programs, and (ii) the Dynamics CRM Online Portal.

Responsibilities of the Covered Entity
It is possible to use Microsoft Office 365 and Microsoft Dynamics CRM Online in a way that complies with HIPAA and HITECH Act requirements. However, customers are responsible for their own end-to-end compliance, as Microsoft does not analyze the contents of its customers’ data, including what ePHI Microsoft processes.

This means each customer should have its own processes and policies in place to ensure its personnel do not use Microsoft Office 365 and Microsoft Dynamics CRM Online in a way that violates HIPAA and HITECH Act requirements.

For example, a HIPAA covered entity may store a patient’s ePHI on a Microsoft service in a HIPAA-compliant manner. But if a doctor at that covered entity sends the ePHI through Exchange Online to a marketer without the patient’s permission, the covered entity may violate HIPAA.

The subsequent sections are designed to assist you in using the service appropriately, minimizing the risk of non-compliance with HIPAA.
To help comply with HIPAA and the HITECH Act, customers may enter into written agreements with Microsoft called business associate agreements or BAAs. Microsoft does not require customers to sign BAAs. Instead, Microsoft makes a HIPAA BAA available automatically to all customers with a volume licensing agreement through the Online Services Data Protection Addendum.

Customers with a BAA should designate appropriate individuals as Privacy Readers so they have access to the appropriate messages within Message center. You must refer to section (ii) Contact Information for Notices of the BAA for details on how to do this. If you do not do this, Microsoft may be unable to contact you for purposes as described in the BAA (e.g., to notify you in the event of a breach involving ePHI).

Prior to placing ePHI in the online service, you should read this guide and the BAA in full and evaluate for yourself whether the BAA meets your needs and whether you should place ePHI in Microsoft Office 365 and Microsoft Dynamics CRM Online. Again, it is ultimately your responsibility to evaluate whether our services match the requirements of your HIPAA implementation strategy, and to ensure your personnel use these services in a way that complies with HIPAA requirements.

Evaluating Service Security and Applying it to a Compliance Program
Many of the Microsoft Office 365 and Microsoft Dynamics CRM Online offerings are certified under ISO 27001 by independent auditors. The scope of our ISO 27001 audits includes HIPAA security practices as recommended by the U.S. Department of Health and Human Services. To find out more about certifications for a particular service, you may consult the Microsoft Office 365 Trust Center and Microsoft Dynamics CRM Online Trust Center. Note: The following offerings do not currently meet all recommended security requirements.
It is strongly recommended that customers not place ePHI on these offerings:
- Microsoft CRM Dynamics Online administered through means other than the Microsoft Office 365 Portal. - Microsoft Dynamics CRM for supported devices (i.e. access through smartphones and tablets).

It is ultimately the customer’s responsibility to determine the level of security that is appropriate for its requirements. A few specifics that you may wish to evaluate in your consideration of our security practices include the following:

- Encryption at rest and in-transit: Microsoft applies encryption-in-transit to transfer of information outside of Microsoft facilities. Encryption -in-transit only applies to information that can be encrypted without interfering with standard internet protocols. This means packet headers and message headers are not encrypted in transit, since that would interfere with delivery of the information. It is strongly recommended that you train and instruct your personnel to follow industry standard HIPAA security guidance to never put ePHI in the “from”, “to”, or “subject line” of an email message.

- Two Factor Authentication: Two-factor authentication is not available for customer authentication. Most services employ two -factor authentication for Microsoft’s IT Operations team. If you wish to verify two -factor authentication practices on a particular service, you may contact Support to inquire about that service as described below.

- Security Configuration: Many services have optional security configurations that allow customers to change security parameters. HIPAA covered entities may wish to set such parameters at their highest security levels. For additional information on managing your ePHI to enhanced security, you will want to read the section below on the best ways to configure and use Microsoft Office 365 and Microsoft Dynamics CRM Online.
You may also reference the Information Security Policy or the Standard Response to Request for Information – Security and Privacy to assist in determining whether the offered services are suitable for your use (current trial or paid customers only; prospective customers may inquire through Office 365 Support regarding reviewing this document).

If you have a question about whether a specific security requirement is met for any service, you may contact Microsoft Support. Microsoft will make commercially reasonable efforts to provide the information requested unless providing information at the requested level of specificity would degrade service security.

Procedures for Administrative Access
One of the ways that Microsoft Office 365 and Microsoft Dynamics CRM Online assist you in controlling access to ePHI is by tracking each instance of access to data stored in the data sets or repositories identified as suitable for ePHI above. This includes access by Microsoft personnel, partners, or your own administrators. These access reports are available to the covered entity’s administrators on request.

Microsoft recommends you regularly review these access reports to validate that only approved/appropriate individuals have accessed ePHI. For example, individuals designated as administrators have technical ability to access the mailbox of personnel in their organization.

If a covered entity has established policies around when an IT administrator can enter into a doctor’s mailbox, this report may assist you to verify that these polices are being followed. Instructions on how to obtain these access reports for different services on Office 365 and Microsoft Dynamics CRM Online are available as on the following web-page in the Trust Center: http://www.microsoft.com/online/legal/v2/?docid=24
Handling Security Breaches
Upon becoming aware of a security breach involving ePHI, Microsoft will report this to all global administrators on the accounts and to any individuals assigned the Privacy Reader role. In addition, because Microsoft does not scan or otherwise interpret customers’ data stored in the services, Microsoft will likely be aware only that a repository appropriate for storage of ePHI has been compromised. The customer will need to determine whether ePHI was actually present in the data set subject to a security breach.

Microsoft will report information it has developed on ePHI involved in a security breach according to the process described at GDPR Breach Notification. Microsoft relies on the customer to handle all notifications to affected individuals.

Customers should assign appropriate individuals into the Message center Privacy Reader role. Global administrators and users assigned the Privacy Reader role will be able to view privacy or security notifications in Message center. In the event of a security breach, notifications will be posted to Message center, but the ability to see the detailed content of such posts is restricted to global admins or individuals who have been assigned the Privacy Reader role.

Customers may update their Privacy Reader admins at any time in Message Center. Prior to sending a notification, Microsoft will work to contain the breach, analyze its impact, and assess the results. Depending on the nature of the breach, Microsoft may (a) provide customers a preliminary notification followed by subsequent details, or (b) wait until a full review has occurred and notify customers then.

Staff Agreements

What is PHI or ePHI?

Examples of PHI

BAA Business Associate Agreement

Step 1 of 4

HIPAA BAA Business Associate Agreement

1. Definitions.

2. Permitted Uses and Disclosures of Protected Health Information.

3. Responsibilities of the Parties with Respect to Protected Health Information.

b. Customer Responsibilities.

4. Applicability of BAA.

5. Term and Termination.

6. Miscellaneous.

Do you agree to abide by the terms of this BAA agreement?

HIPAA Compliance Implementation Guide

Step 1 of 7

HIPAA/HITECH Act Customer Considerations for Microsoft Office 365 and Microsoft Dynamics CRM Online

Sections include:

Microsoft Office 365 and Microsoft Dynamics CRM Online Services for Consideration

Responsibilities of the Covered Entity

Evaluating Service Security and Applying it to a Compliance Program

It is strongly recommended that customers not place ePHI on these offerings:

Understanding ePHI on the Service

The following data-sets or repositories are suitable for uploading/inclusion of ePHI:

*see article at the top of this page for more information on ePHI

Examples of data-sets or repositories NOT suitable for uploading/inclusion of ePHI:

*see article at the top of this page for more information on ePHI

Procedures for Administrative Access

Handling Security Breaches

Checklist: Five Things to Consider

Do you agree to comply with this implementation guide?

Pin It on Pinterest