Updated 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

What You Need to Do to Be HIPAA Compliant After Signing a BAA

Before agreeing to trust another business with your data, there are several precautions you need to take. Firstly, make sure you have audited a Business Associate or Subcontractor’s HIPAA compliance program before signing a Business Associate Agreement (BAA) with them, and do so again each year before you resign the agreement.

Many large tech providers have pre-written BAAs that say they only cover “in-scope services” or that it is your responsibility to appropriately configure their product to be fully HIPAA compliant. Google, Microsoft, and Dropbox, three of the largest providers of business technology solutions, fall into this camp.

So, what are considered “in-scope services”? And what do you need to do to properly configure your systems so your data is secure and you’re HIPAA compliant? Here’s an overview of the processes for making your environment HIPAA compliant when using services provided by these three vendors.

Microsoft

Whether your organization is considered a Covered Entity or Business Associate under HIPAA, Microsoft “offers qualified companies or their suppliers a BAA that covers in-scope Microsoft services.”¹

The following are considered in-scope cloud platforms & services:

  • Azure and Azure Government
  • Azure DevOps Services
  • Dynamics 365 and Dynamics 365 U.S. Government
  • Intune
  • Microsoft Cloud App Security
  • Microsoft Cloud for Healthcare
  • Microsoft Healthcare Bot Service
  • Microsoft Managed Desktop
  • Microsoft Professional Services: Premier and On Premises for Azure, Dynamics 365, Intune, and for medium business and enterprise customers of Microsoft 365 for business
  • Office 365, Office 365 U.S. Government
  • Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • Power BI cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite

For those using the company’s in-scope services, Microsoft offers a downloadable BAA, in the form of a non-editable Word document, which you can save for your records. 

Microsoft also provides a HIPAA and HITECH implementation guide for Microsoft Office 365 and Microsoft Dynamics CRM. The guide makes it clear that Microsoft’s services are only HIPAA compliant under certain conditions, and it cannot be held responsible if you do not make the proper configurations.² 

These configurations may include:

  • Designating certain personnel as Privacy Readers in your Microsoft 365 Message Center, which will allow them to be notified of any suspected breaches of PHI
  • Setting access controls
  • Making consistent, comprehensive backups of data
  • Using cybersecurity best practices and training employees on account security³ 

It is the responsibility of you and your employees to determine which Microsoft services can be configured in a manner which is HIPAA compliant, and how you will implement rules and safeguards to ensure users manage these services in a way that complies with HIPAA requirements.

Microsoft does not guarantee that all PHI transmitted or stored using its services will be protected. It is up to you to protect your data via good security practices and proper configurations.

Google

The new Google Workspace, an updated version of G Suite, is an integrated collection of applications including Gmail, Google Calendar, Google Meet, Google Drive, Google Docs, and more. Some of these applications can be made HIPAA compliant if configured correctly.

To help you in this endeavor, Google published a G Suite and Cloud Identity HIPAA Implementation Guide, which still holds true when it comes to configuring Google Workspace, as many of the applications are still the same.⁴ 

The guide states that PHI should only be allowed on the applications identified as “Included Functionality” in the BAA your company obtains with Google. Furthermore, Administrators should limit which services or applications are available to different groups of end users. 

Google’s guide contains detailed descriptions of each application’s security features, which should be turned on, monitored by Administrators, or included in employee training so that each user knows how to store and transmit PHI in a secure manner.

Other safeguards you might implement in order to make Google applications HIPAA compliant are:

  • Implementing access controls
  • Enabling two-factor authentication
  • Turning off link-sharing and file-syncing
  • Restricting file-sharing outside the domain
  • Using unique passwords
  • Setting document visibility to private
  • Disabling offline storage, third-party app, and add-ons
  • Regularly auditing account logs, access, and shared file reports
  • Ensuring that ‘manage alerts’ setting is turned on to notify administrators of changes to settings
  • Using the 3-2-1 backup rule⁵

Dropbox

Dropbox is one of the most popular cloud storage services, frequently used to share files between users and easily access files on mobile. 

The company has published a cybersecurity guide entitled “Shared responsibility: Working together to keep your data secure.” This is split into two sections: “Dropbox’s responsibilities” and “Customer responsibilities.” 

The best practices customers should follow include reviewing Dropbox’s practices, Terms of Service, and other agreements, configuring sharing and viewing permissions for maximum security and productivity, strengthening authentication procedures, and conducting regular access reviews.⁶

Dropbox also has a Getting started with HIPAA guide businesses can consult for tips on how to manage your security infrastructure, including:

  • Configuring sharing permissions
  • Disabling permanent deletions
  • Monitoring account access and activity
  • Understanding the role of third party apps⁷

Conclusion

Signing a BAA with a Business Associate or Subcontractor is a much more involved process than just collecting signatures. Continuing to take a proactive stance even after you sign can help you protect your business and data in the event of a breach. Consult any guides the service may have published on HIPAA compliance, and talk to your IT team about how best to configure applications to achieve maximum data protection.

Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.

Want to know more about how you can become HIPAA compliant?

Email us at info@totalhipaa.com to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.

  1. Frequently asked questions
  2. HIPAA/HITECH Act Customer Considerations for Microsoft Office 365 and Microsoft Dynamics CRM Online
  3. Is Microsoft 365 HIPAA Compliant?
  4. G Suite and Cloud Identity HIPAA Implementation Guide
  5. Is Google Drive HIPAA Compliant?
  6. Shared responsibility: Working together to keep your data secure
  7. Getting started with HIPAA

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)