Gajus - Fotolia


Microsoft Teams has HIPAA collaboration compliance benefits, risks

Microsoft Teams can be a boon for communication and collaboration in healthcare settings, but collaboration compliance with HIPAA regulations must be top of mind.

Healthcare professionals benefit from being connected inside and outside of their workplace. These professionals require access to healthcare data to treat their patients, so providing them the ability to digitally communicate with their colleagues from any device is a big deal. For those who have invested in Microsoft Office 365, Teams has proven to support the real-time collaboration and communication among hospital staff, but it also has its own set of collaboration compliance risks.

For some organizations, like those in healthcare, the typical interactions among staff carry a new set of challenges for chief information security officers (CISOs) and CIOs, especially when these tools are used to transmit health-related information from one person to another. Health Insurance Portability and Accountability Act (HIPAA) rules and regulations have specific mandates requiring any software tool containing health information to adhere to strict guidelines and ensure all information transmitted or referenced protects patient data and privacy. This forces IT to ensure a collaboration platform like Microsoft Teams meets HIPAA requirements.

Those considering Microsoft Teams within a hospital or clinic setting will find a number of benefits to gain from the platform but also collaboration compliance concerns that need to be addressed.

Microsoft Teams collaboration benefits in healthcare

  1. Supporting care collaboration through secure messaging. A growing trend in healthcare is care collaboration, where physicians from different specialties caring for the same patients come together to collaborate and help improve the outcomes. Physicians and nurses are also constantly communicating with each other on patient-related items. Whether a physician is checking on the status of a lab order or asking for assistance from a colleague, healthcare professionals are finding it easier to communicate using Microsoft Teams and its collaboration features, such as presence. A care team can use one-on-one and group chats to review X-rays, lab results and notes and work together to create a treatment plan for those patients with complex conditions.
  2. Electronic medical record (EMR) integration brings data together. With the availability of APIs and third-party integrations, physicians can view and interact with external data coming from an EMR or a third-party vendor without leaving the Teams application. Microsoft has even gone as far as highlighting its ability to interact with Fast Healthcare Interoperability Resources, a popular interoperability standard used across most electronic health record platforms for the exchange of health information.
  3. Assigning delegates for care providers. One valuable feature Microsoft Teams offers healthcare providers is the delegation feature. This option is used by physicians to delegate someone on their team to take over the role of responding to requests in Teams during their absence. Similar to the concept of an on-call physician caring for the patients of another physician, Teams makes it easy to designate another user as a backup.
  4. Managing external access to protected health information. One great Teams security feature to support collaboration compliance is the ability to use Microsoft's data loss prevention (DLP) policies. DLP enables IT administrators to set up policies that will flag and notify users when sensitive information, like protected health information, is being shared with external users outside of the organization.

Microsoft Teams collaboration compliance risks

  1. Risk of data exposure. Healthcare organizations are at risk of unauthorized access to patient data and violating HIPAA guidelines if Teams is used on unmanaged and unsanctioned devices. This can occur when a physician messages a colleague who does not have a properly configured device. Sensitive data may be unintentionally exposed and in direct violation of the HIPAA rules.
  2. Risk of data loss. Unlike some on-premises applications a hospital IT department manages, backing up a cloud service is no easy task. This is especially true when it comes to complex platforms like Teams, which are used to share and manage unstructured data among users. While a number of third-party vendors offer some backup capabilities for Microsoft Teams, they are limited by Teams APIs. So, IT will need to vet backup tools and ensure that any patient-related content generated and stored within the platform is protected.
  3. Data extractions in the future. Microsoft Teams is a subscription-based platform. Any consideration to stop payment or change service will require IT to identify a creative way to extract company data to move it somewhere else or archive it. Given the requirements of keeping health-related data from seven to 21 years as part of HIPAA rules, extracting data from Teams can be tricky business. IT must have a good understanding of data extraction well before pushing users to use the platform for patient-related activities.

Microsoft Teams has shown that it can be adopted in a vertical like healthcare, where many of its capabilities are a great fit for users in hospitals and clinics. But with adoption comes a burden on IT to confirm it meets collaboration compliance and security expectations to protect stored and shared data.

Dig Deeper on Collaboration and communication security