Updated Tue July 29, 2025
Published Under: Healthcare Healthcare Websites HIPAA Compliance Managed IT Microsoft 365
If you missed Nick Gerrans’ talk at the VGM Heartland Conference this year, don’t worry—we’ve got you covered.
As Forbin’s IT Account Manager, Nick delivered an eye-opening session titled “Transforming Your Business with Microsoft 365: An Email Discussion.” He dove deep into something every HME and healthcare business needs to hear:
Email isn’t HIPAA-compliant by default—even if you’re using Microsoft 365.
Here’s your post-conference recap, complete with takeaways, examples, and a bonus resource to help you protect your business.
Want Nick’s one-pager on HIPAA email compliance?
Why Free Email Just Doesn’t Cut It Anymore
Nick’s message was clear: if you’re using free, ad-supported email platforms like Gmail, Yahoo, or Outlook.com for your HME business—you’re not HIPAA-compliant.
That’s because:
- These services don’t sign a Business Associate Agreement (BAA)
- They’re often mined for ad data (hello, privacy risk)
- You have little to no control over access, auditing, or data retention
Even worse? Many healthcare businesses think branded email (e.g., [email protected]) “looks fine.”
In reality, it puts them at risk of fines, lawsuits, or worse—compromised patient data.
Branded Business Email vs. Free Consumer Email
| Branded Business Email (Compliant) | Free Consumer Email (Risky) |
|---|---|
| [email protected] | [email protected] |
| Encrypted, secure | No encryption |
| Covered by BAA | No BAA |
| Role-based access | No user control |
4 Pillars of HIPAA-Compliant Email Nick Covered
Nick outlined four essential requirements from the HIPAA Security Rule that every email system must meet:
1. Business Associate Agreement (BAA)
HIPAA requires a signed BAA with any third-party platform storing or transmitting protected health information (PHI). Microsoft offers a BAA—but only if you configure your account through the Microsoft 365 admin center.
2. Encryption (in transit + at rest)
If your email isn’t encrypted, it’s not secure—and it’s not compliant. Microsoft 365 can encrypt messages automatically using tools like Microsoft Purview, but only if properly enabled.
3. Access Controls (like MFA)
Who can access your inbox? With role-based access controls and Multi-Factor Authentication (MFA), Microsoft 365 helps ensure only the right users can see PHI.
4. Audit Logs and Retention
You’re responsible for tracking email access and storing messages securely. Microsoft 365 enables audit logging and long-term data retention—again, only if configured.
Midway CTA:
Does your email meet Nick’s 4 compliance pillars?
If not, don’t wait until you’ve got a breach on your hands.
Schedule a Free Microsoft 365 Audit
Real-World Risks of Unsecured Email
Nick didn’t hold back—he gave real examples of what can (and does) go wrong:
- Staff emailing patient info from personal Gmail accounts
- Turnover causing data loss due to no centralized access
- No way to track what was sent, to whom, or when
Each of these could lead to a HIPAA violation—and up to $1.5M per year in penalties.
“74% of healthcare data breaches are caused by human error or system misconfigurations.”
—Verizon DBIR 2023
Why Microsoft 365 (When Set Up Correctly) Is the Best Fit
Nick emphasized that Microsoft 365 is one of the most secure and flexible email solutions—but only when configured properly.
Here’s what it offers:
- Built-in BAA (available with the right plan and setup)
- Powerful encryption tools like Microsoft Purview
- Multi-Factor Authentication and Conditional Access
- Admin Console for centralized management
- Seamless audit trails and retention policies
- Branded, trustworthy communication
- Shared mailbox features (orders@, billing@, support@)
- Integration with your documentation, scheduling, and even AI (like Microsoft Copilot)
What to Do Next: Nick’s Actionable Takeaways
Here’s what Nick recommends if you’re serious about compliance:
- Ditch free consumer email accounts for business use
- Review your current Microsoft 365 settings with an IT expert
- Enable MFA, audit logging, encryption, and DLP policies
- Make sure your organization has a signed BAA with Microsoft
- Download his checklist to help your team audit your environment
Bonus Resource: Get Nick’s One-Pager
Want a handy checklist and summary of what you need to stay compliant?
Nick’s “HIPAA Email Compliance Made Easy” PDF includes:
- 4 compliance pillars explained
- Microsoft 365 setup tips
- Quick “Are You Compliant?” checklist
Conclusion: It’s Not Just Email—It’s Your Reputation
Nick ended his session with a reminder: email is often the first impression your business makes—and the most common source of healthcare data breaches.
“It’s not just about tech. It’s about trust.” - Nick Gerrans, IT Account Manager
If you’re unsure whether your email system is secure and compliant, we’re here to help. At Forbin, we specialize in Microsoft 365 environments for HME and healthcare businesses—and we’ll make sure your systems are secure, compliant, and ready to scale.
Contact Forbin IT Today to Secure Your Microsoft 365 Environment
Comments