Staff Agreements

To ensure compliance with HIPAA, please sign that you agree to comply with the standards set forth in this BAA Business Associate Agreement and HIPAA Implementation Guide. These agreements allow our services with Microsoft Office 365 to be HIPAA compliant. Once these are signed and the infrastructure is complete, we will give you access to the services such as email and calendar.

There are two forms on this page to complete. Please make sure you read, review, and sign the BAA Business Associate Agreement and the HIPAA Compliance Implementation Guide.

What is PHI or ePHI?

Electronic protected health information or ePHI is defined in HIPAA regulation as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media.

Essentially, all health information is considered PHI when it includes individual identifiers. Demographic information is also considered PHI under HIPAA Rules, as are many common identifiers such as patient names, gender, ethnicity, insurance details, and birth dates, when they are linked with health information.

Examples of PHI

  • First and Last Names (Examples: Jane Doe, Jane D.)
  • Any dates (except years) that are directly related to an individual
  • Telephone number
  • Social Security numbers
  • Driver’s license numbers

Read more about PHI here

and here 

BAA Business Associate Agreement

Step 1 of 4

  • HIPAA BAA Business Associate Agreement

  • You can view this document by following this link http://aka.ms/baa
  • If Customer is a Covered Entity or a Business Associate and includes Protected Health Information in Customer Data, FastTrack Data, or Professional Services Data, this HIPAA Business Associate Agreement (“BAA”) is incorporated upon execution of an agreement (“Agreement”) that: (i) includes the Online Services Data Protection Addendum, or (ii) incorporates this BAA and the Microsoft Professional Services Data Protection Addendum by reference through a work order for Professional Services. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control.
  • 1. Definitions.

  • Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.

    “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.

    “Business Associate” shall have the same meaning as the term “business associate” in 45 CFR § 160.103 of HIPAA.

    “Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR § 160.103 of HIPAA.

    “Customer”, for this BAA only, means Customer and its Affiliates.

    “FastTrack Data” means all data, including all text, sound, video, or image files, and software, that are provided to Microsoft by or on behalf of Customer for Microsoft’s performance of the FastTrack Services.

    “FastTrack Services” means the onboarding and migration services for Office 365 Services specified as being in scope for this BAA on the FastTrack Center BAA site at http://aka.ms/FastTrackBAA (or successor site); and (2) Dynamics 365 Core Services and Microsoft Power Platform Core Services; that are provided to Customer by Microsoft in connection with Customer’s Microsoft Online Services subscription, excluding services that are performed using third-party software or software that is not hosted by Microsoft.

    “HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.

    “Microsoft BAA-Scope Services”, for this BAA only, means the Core Online Services as defined in the Online Services Terms incorporated into the Agreement; Azure Health Bot; and any additional Azure online services and U.S.

    Government online services listed as in scope for this BAA on the Microsoft Trust Center at https://docs.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech (or successor site); excluding Previews.

  • “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information.

    “Professional Services” means the following services provided under an Enterprise Services Work Order: (a) professional planning, advice, guidance, data migration, deployment and solution/software development services provided by Microsoft Consulting Services (“Consulting Services”); and (b) Microsoft Unified Support or Premier Support Services as described in the Services Consulting and Support Description or the Description of Services, respectively, which consist of professional technical software support services provided by Microsoft that help customers identify and resolve issues in their information technology environment (“Support Services”). Additionally, Professional Services includes (c) services provided under a Microsoft Business Support Services Work Order. The Professional Services do not include the Online Services.

    “Professional Services Data” means all data, including all text, sound, video, image files or software, that are provided to Microsoft, by or on behalf of a Customer (or that Customer authorizes Microsoft to obtain from an Online Service) or otherwise obtained or processed by or on behalf of Microsoft through an engagement with Microsoft to obtain Professional Services.

    “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of HIPAA, provided that it is limited to such protected health information that is received by Microsoft from, or created, received, maintained, or transmitted by Microsoft on behalf of, Customer (a) through the use of the Microsoft BAA-Scope Services, (b) for Microsoft’s performance of the FastTrack Services, or (c) through Microsoft’s provision of Professional Services.

    “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information.

Please complete all four pages of the BAA (above) before beginning the next form.

HIPAA Compliance Implementation Guide

Step 1 of 7

  • HIPAA/HITECH Act Customer Considerations for Microsoft Office 365 and Microsoft Dynamics CRM Online

  • This form can be viewed at this link http://go.microsoft.com/fwlink/?linkid=257510
  • HIPAA1 and the HITECH Act2 are U.S. laws that govern the security and privacy of individually identifiable health information stored or processed electronically. This information is referred to as electronic protected health information (ePHI). HIPAA refers to healthcare providers, payors and clearinghouses that use or process ePHI as covered entities. Under HIPAA and the HITECH Act, covered entities must implement mandated physical, technical and administrative safeguards to protect ePHI. Certain service providers that store or process ePHI on behalf of covered entities are called business associates. Covered entities must ensure that their business associates implement similar security and privacy safeguards. For a covered healthcare company to use a service like Microsoft Office 365 or Microsoft Dynamics CRM Online, where ePHI would be stored or processed, the service provider will be a business associate and must agree in writing to implement required safeguards set out in HIPAA and the HITECH Act. This written agreement is known as a business associate agreement (BAA). 1 The Health Insurance Portability and Accountability Act of 1996. 2 The Health Information Technology for Economic and Clinical Health Act.

    This guide was developed to assist customers who are interested in HIPAA and the HITECH Act in understanding the relevant capabilities of Microsoft Office 365 and Microsoft Dynamics CRM Online. The intended audience for this guide includes HIPAA administrators, legal staff, privacy officers, and others in organizations responsible for compliance with HIPAA and the HITECH Act, and implementation of physical, technical and administrative safeguards for protection of ePHI.

    Although Microsoft Office 365 and Microsoft Dynamics CRM can help enable compliance, the ultimate responsibility for using our service and end-to-end compliance with HIPAA and the HITECH Act remains with the covered entity.
  • Sections include:

    - Microsoft Office 365 and Microsoft Dynamics CRM Online Services for Consideration - Responsibilities of the Covered Entity - Business Associate Agreements - Evaluating Service Security and Applying it to a Compliance Program - Understanding ePHI on the Service - Procedures for Administrative Access - Handling Security Breaches - Checklist: Five Things to Do - Additional Information
  • Microsoft Office 365 and Microsoft Dynamics CRM Online Services for Consideration

  • HIPAA support is currently built into and offered for the following services ONLY: Microsoft Office 365 Services as defined in the HIPAA Business Associate Agreement. Microsoft Dynamics CRM Online sold through (i) Volume Licensing Programs, and (ii) the Dynamics CRM Online Portal.