Microsoft 365 Licensing for HIPAA-Compliant Concierge Care

Choosing the right Microsoft 365 license is critical for healthcare organizations handling Protected Health Information (PHI). This guide compares Business Basic, Business Premium, and Office 365 E3 with EMS E3 add-ons to help you make informed decisions that meet HIPAA requirements while optimizing costs.


storage.googleapis.com

Watch This Video if You Are Unsure About Office 365 & HIPAA

Clock to Watch!

License Comparison Overview

Understanding the differences between Microsoft 365 plans is essential for HIPAA compliance. Each tier offers distinct features that impact security, data protection, and regulatory adherence.

Business Basic

~$6/user/month

  • Web-only Office apps
  • 50 GB mailbox
  • 1 TB OneDrive storage
  • Manual MFA only
  • Basic TLS encryption
Business Premium

~$12.50/user/month

  • Full desktop + mobile apps
  • 50 GB mailbox
  • 1 TB storage
  • Basic MFA
  • Limited DLP
  • Basic MDM
Office 365 E3

~$23/user/month

  • Full desktop + mobile apps
  • 100 GB mailbox + archive
  • Advanced DLP & retention
  • Core eDiscovery
  • Legal hold capabilities
+ EMS E3 Add-On

+~$14/user/month

  • Advanced Conditional Access
  • Full Intune MDM/MAM
  • Azure Information Protection
  • Device-level DLP
  • Unified audit logging

File upload

Office 365 comparison1.pdf

Click to View & Download the Office 365 HIPAA Matrix

Core Features Breakdown
Office Applications & Storage

Business Basic provides web-only access to Office apps with 50 GB mailbox storage. Business Premium and Office 365 E3 include full desktop and mobile applications. E3 doubles mailbox capacity to 100 GB and adds unlimited archiving with legal hold capabilities. All plans include 1 TB OneDrive storage, but E3 enhances SharePoint with advanced Data Loss Prevention and retention policies.

Collaboration Tools

Teams collaboration features scale across plans. Business Basic offers core functionality, Premium adds desktop integration, while E3 provides full enterprise features including advanced meeting controls and compliance tools.

HIPAA Security Safeguards Coverage

HIPAA compliance requires specific technical safeguards. This comparison shows how each license addresses critical regulatory requirements under sections 164.312(a) through 164.312(e).

Access Control (§164.312(a))

Basic: Manual MFA only

Premium: Moderate controls

E3 + EMS: Conditional Access with device policies

Audit Controls (§164.312(b))

Basic: Minimal activity logs

Premium: Standard logging

E3 + EMS: Central audit plus device logs

Integrity & Encryption (§164.312(c),(e))

Basic: Partial TLS only

Premium: Message encryption

E3 + EMS: Azure Information Protection file-level encryption

Transmission Security (§164.312(e)(1))

Basic/Premium: TLS email only

E3 + EMS: Adds mobile and device TLS policies

Advanced Security Features Comparison
Multi-Factor Authentication

Business Basic requires manual MFA setup. Premium offers basic automated MFA. E3 with EMS E3 provides Advanced Conditional Access controls through Azure AD P1, enabling policy-based MFA with geographic and device restrictions.

Device & App Management

Basic has no device management. Premium includes basic Mobile Device Management (MDM). E3 with EMS E3 delivers full Microsoft Intune capabilities: MDM/MAM, remote wipe, encryption enforcement, and comprehensive app protection policies.

Data Loss Prevention

Basic lacks DLP entirely. Premium offers limited DLP for email, SharePoint, and OneDrive. E3 with EMS E3 expands DLP to all devices and mobile apps, preventing PHI from leaving authorized channels.

The Critical Mailbox Archiving Challenge

Employee mailboxes often contain PHI and must be preserved unaltered after termination. Under HIPAA's 164.312(b) Audit Controls and 164.306(a)(1) Integrity Controls, Concierge Care must preserve PHI-containing records for at least 6 years, ensure records cannot be altered or deleted, and maintain audit trails. This makes immutable email archiving a required safeguard.

Employee Active

Mailbox contains PHI communications, patient correspondence, and clinical documentation

Employee Leaves

Organization must preserve all mailbox contents immutably for compliance and legal purposes

Long-Term Retention

Records must remain searchable, unalterable, and accessible for minimum 6 years

Mailbox Retention: Business Premium vs Office 365 E3

The differences in archiving capabilities between Business Premium and Office 365 E3 are critical for HIPAA compliance. Only E3 provides the immutable archiving required for healthcare organizations.

What Happens When an Employee Leaves
Business Premium Limitations

When you remove or disable the user license, their mailbox is deleted after 30 days. You can convert it to a shared mailbox before deletion, but shared mailboxes have a 50 GB cap, are editable (not immutable), and must remain licensed if over 50 GB or if users need access. There's no legal hold or compliance lock option, meaning PHI can be changed or lost.

Suitable for: Non-PHI users and general staff where long-term retention is not required.

Not suitable for: Clinical, admin, or intake users who handle PHI.

Office 365 E3 Solution

When an employee leaves, you can place the mailbox on Litigation Hold or apply a Retention Policy before removing the license, then convert it to an Inactive Mailbox. The mailbox and all contents (including deleted items, drafts, attachments) are preserved indefinitely. No one can modify or delete content, and it remains fully searchable through eDiscovery. You can then remove the license and stop paying for that user while the mailbox remains preserved in Microsoft's compliance archive.

Suitable for: All PHI-handling roles.

Meets: HIPAA, HITECH, and legal retention standards for immutability.

License Recommendations by Role

Different roles require different security levels. This matrix helps you assign the right license to each user type while optimizing costs and maintaining HIPAA compliance.

Clinical, Intake & Admin Staff

Recommended: Office 365 E3 + EMS E3

Cost: ~$37/user/month

Reason: Full HIPAA compliance with archiving, advanced DLP, Conditional Access, and comprehensive device control. These users handle PHI daily and require maximum protection and retention capabilities.

Marketing & HR Teams

Recommended: Business Premium + EMS E3

Cost: ~$26.50/user/month

Reason: Secure MFA and device management without archiving overhead. These users don't regularly handle PHI but need strong security controls and full Office applications.

Email-Only Users

Recommended: Business Basic + EMS E3

Cost: ~$20/user/month

Reason: Lightweight access with MFA and Intune policies. Suitable for reception, scheduling, or limited-access staff who need email and basic collaboration without full desktop apps.

Implementation Workflow for E3 License Users

Follow this systematic approach to ensure proper mailbox retention and HIPAA compliance when employees with PHI access leave your organization.

01
Set Litigation Hold

Before deprovisioning, set Litigation Hold or assign a Retention Policy in the Compliance Center to preserve all mailbox contents.

02
Remove User License

Safely remove the user's Office 365 license after hold is in place. This triggers the inactive mailbox conversion process.

03
Mailbox Becomes Inactive

The mailbox automatically converts to an Inactive Mailbox, preserving all content immutably without requiring an active license.

04
Archive OneDrive Files

Store the user's OneDrive files in a designated SharePoint library or HR folder for long-term retention and access.

05
Maintain Compliance

The mailbox remains preserved, immutable, and searchable under eDiscovery indefinitely, accessible only by authorized compliance or legal users.

6+
Years Retention

HIPAA-required minimum retention period for PHI records

$0
License Cost

After conversion to inactive mailbox, no ongoing license fees

100%
Immutability

Complete protection against alteration or deletion of archived content

Made with