Is SharePoint HIPAA Compliant?

SharePoint is HIPAA compliant when the collaboration and content management system is used within a HIPAA enabled Microsoft 365 subscription which has been configured to support HIPAA compliance. It is important workforce members with access to SharePoint receive training on how to use the system in compliance with HIPAA.

SharePoint is a scalable intranet service included as standard in all Microsoft 365 business and enterprise subscriptions that can be used to collaborate, sync, and share content securely across an organization or between team members within and/or outside an organization. The service can also be used to organize files and track versions of the same file.

SharePoint enables team members to collaborate on and co-author Word documents, Excel sheets, and PowerPoint presentations, co-edit videos via Clipchamp, and discuss changes to files in Microsoft Teams. Project management site templates can also be added to SharePoint to provide enhanced visibility, accountability, and management of team projects.

In the healthcare industry, SharePoint can be used for multiple purposes. However, when Protected Health Information (PHI) is used for any of these purposes (for example, to collaborate on a patient’s care plan), it is necessary to make SharePoint HIPAA compliant as Microsoft will have access to the PHI. The process for making SharePoint HIPAA compliant consists of:

  • Entering into a Business Associate Agreement with Microsoft,
  • Configuring the service to support HIPAA compliance, and
  • Training members of the workforce how to use SharePoint in compliance with HIPAA.

Entering into a Business Associate Agreement with Microsoft

When any organization – regardless of whether it is covered by HIPAA or not – creates a Microsoft 365 “standard” or “premium” business account, or any type of Microsoft 365 enterprise account, Microsoft automatically applies its standard HIPAA Business Associate Agreement by default when the organization accepts the Microsoft Services Agreement and License Terms.

To view the HIPAA Business Associate Agreement, a user with administrator privileges should sign into the organization’s account and navigate to “Licensing Resources and Documents”. From there, type “HIPAA” into the search bar and download the most recent “Microsoft Product and Services Data Protection Addendum (WW)” document (Currently January 2024).

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

This document explains the security measures implemented by Microsoft to comply with HIPAA (Appendix A). This information can be useful to organizations unfamiliar with Microsoft’s shared responsibility model, as it shows where Microsoft’s responsibility for the security of data ends and their responsibility begins.

On Page 11 of the document, there is a link to the Microsoft Business Associate Agreement in the Service Trust Portal. Administrators can click on this link and download the HIPAA Business Associate Agreement from the Document Detail landing page. There is nothing to sign as the Agreement has automatically been entered into when accepting the Services Agreement.

Configuring the Service to Support HIPAA Compliance

Configuring the service to make SharePoint HIPAA compliant is more complicated because administrators can create an unlimited number of groups and apply different permissions to each group. It is also possible to create group-connected team sites that include – or exclude – external users, and site admins that can add or remove other site admins.

The reasons why making SharePoint HIPAA compliant is complicated include that workforce access to PHI maintained in SharePoint files must align with the permissions allowed under §164.308(a)(4) of the HIPAA Security Rule. It is also the case that workforce access to PHI maintained in any covered Microsoft 365 service must be consistent to monitor user access.

The problem the access rules creates is that workforce members with skills that could contribute to the success of a project may not be eligible for access. Additionally, while some uses of PHI in SharePoint would meet the definition of “Health Care Operations” under §164.501 of the HIPAA Privacy Rule, this is not always the case. Some uses of PHI could be impermissible.

Consequently, site administrators need to take care in defining access policies and allocating roles and permissions. It will also be necessary to develop policies for how to use SharePoint with PHI and enable expiration dates for links sent to external team members. It is also advisable to implement security mechanisms that alert admins when unusual activity is detected.

Training Members of the Workforce How to Use SharePoint in Compliance with HIPAA

Because of the way SharePoint works, it is important workforce members understand that individuals who create files in SharePoint do not have the same control over the files as they do in OneDrive. Once a file is created in – or imported into – SharePoint, everybody with the same permissions as the creator has access to the file and can edit, share, or delete it.

This means members of the workforce must be more conscious of complying with the minimum necessary standard and patients’ requests for privacy protections, and the possibility that a colleague may inadvertently disclose or delete PHI. Therefore, it is important HIPAA training is provided on the policies developed to use SharePoint to all applicable workforce members.

Workforce members also need to be advised that PHI can be corrupted if users export files to a local device and work on them offline, that it is a best practice to log into SharePoint to access a shared file rather than click on a link embedded into an email, and if they identify any content in a SharePoint file that violates the covered entity’s SharePoint policies, to report it.

Is SharePoint HIPAA Compliant? Conclusion

SharePoint is HIPAA compliant but, because of the way in which the file sharing capabilities work, it is necessary to take greater care than would be normal when configuring the service to make SharePoint HIPAA compliant. It may also be necessary to invest in more comprehensive HIPAA training than would be normal with a Microsoft 365 service in order to prevent avoidable violations of HIPAA.

Covered entities and business associates who require more information about using SharePoint in compliance with HIPAA are advised to reach out to Microsoft Sales or the Microsoft Community. Covered entities and business associates who require assistance navigating the Microsoft Product and Services Data Protection Addendum and Business Associate Agreement are advised to seek independent compliance advice.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/