Skip to content

Can you use SharePoint and be HIPAA Compliant?

the challenges of sharing files in heath organizations

Barrett Dilger

HIPAA compliance

As with many industries, healthcare organizations find themselves amidst a digital transformation. The emergence of new tools and technology has promised a plethora of benefits, ranging from enhanced efficiency to reduced errors and improved data-driven decision-making.

Digital files, communications between branches, and electronic notices to patients are just a few samples of welcomed improvements that come with a modern, digital system.

However, bridging the gap between your current technological status and your desired destination isn’t as easy as it sounds. It’s a multifaceted process, each with its own challenges and potential pitfalls.

Sometimes when things go astray, it results in poor efficiency and delayed ROI. Although this outcome is not ideal, it’s not really the end of the world either.

On the other hand, some scenarios have a much more devastating impact. Employing an inappropriate system or tool, or even utilizing a suitable tool in an unsuitable manner, can lead to regulatory violations, including, but not limited to HIPAA violations.

No healthcare organization wants to ever deal with that.

Microsoft 365 and SharePoint in the Healthcare Environment

Amidst the backdrop of digital innovation and regulatory concerns, healthcare organizations are grappling with questions regarding specific tools and platforms. Microsoft 365, a comprehensive suite of tools, presents a wide variety of benefits to healthcare organizations.

Foremost among these questions is whether this cloud-based productivity suite is genuinely HIPAA compliant. Organizations are questioning whether SharePoint and the broader Microsoft 365 package meet the necessary HIPAA standards.

Can electronic health records and other data containing personally identifying information (PII) be transferred to SharePoint or edited within Microsoft 365?

Regrettably, the answer is somewhat complex.

Microsoft’s assertion on the compliance of these products is far from conclusive, and it is impossible for them to account for user behavior in every instance.

As such, while it is feasible to utilize Microsoft 365 and SharePoint in a HIPAA-compliant manner, it is not automatic. Healthcare organizations must have technical safeguards in place to ensure compliance.

Fortunately, we can assist with this process – but more on that later. First and foremost, these are the most common questions healthcare organizations are asking that you should be aware of.

These are the FAQs and topics healthcare organizations should know about Microsoft 365 and HIPAA:

  • Is Microsoft 365 HIPAA compliant?
  • Is SharePoint HIPAA compliant?
  • What are the core compliance areas of HIPAA?
  • What are the technical safeguards of HIPAA?
  • How does an IT provider assist in technical HIPAA compliance?
  • Is a BAA needed with Microsoft?

Is Microsoft 365 HIPAA compliant?

While an important question, it may not be the most pertinent one to ask. It is akin to examining a car and inquiring whether it is “speed limit compliant.” Unless one is inquiring if a car has been deliberately programmed to never exceed the speed limit, there is no such thing as a “speed limit compliant” car. Whether the car operates within the speed limit is entirely at the discretion of the driver.

This is not to suggest that one should never question the quality of a car, or the quality of a software platform. A poorly constructed car may have a sticky accelerator, resulting in considerable and avoidable risk. Similarly, poorly designed software or digital services could have an analogous effect on sensitive medical data.

Indeed, Microsoft 365 is a well-designed software platform. Nevertheless, it is impractical to expect Microsoft to prevent every instance of data misuse, just as it is unrealistic to anticipate car manufacturers to “lock” cars to the speed limit. The same rules and filters that may avert a HIPAA violation in a healthcare setting could obstruct normal and ethical use cases in other industries.

Therefore, it should come as no surprise that Microsoft’s products’ HIPAA compliance status is not entirely clear. Is it possible to use them in a HIPAA-compliant manner? Certainly. However, can Microsoft guarantee their HIPAA compliance without external assistance? No.

Is SharePoint HIPAA compliant?

This particular inquiry is another instance of an oft-asked question in the same vein as “does this car adhere to the speed limit?” As it turns out, this question isn’t exactly on the mark and depends on how one uses the tool in question.

In this case, healthcare organizations might be inclined to use SharePoint exclusively for exchanging electronic health records (EHR) and other documents containing sensitive personally identifying information (PII). It’s no wonder that this leads to the question about whether SharePoint is HIPAA compliant.

The answer is that it can certainly be used in a manner that is compliant with the Health Insurance Portability and Accountability Act (HIPAA).

However, the system is not structured to prevent users from contravening HIPAA regulations – just like your car is not designed to inhibit you from exceeding speed limits.

To remain HIPAA compliant, organizations must implement specific technical safeguards with both products. But to delve further into these safeguards, we need to take a closer look at HIPAA itself and what it takes to be compliant with it.

What are the core compliance areas to be HIPAA compliant?

HIPAA compliance can be divided into three main areas of compliance:

  1. Technical compliance
  2. Administrative compliance
  3. Physical compliance

Technical compliance focuses on the technological systems that interact with patient data qualifying as PII, including access control, data integrity, authentication of users, and secure transmission of files.

Administrative compliance is concerned with the policies and procedures that organizations implement to safeguard data and data access, such as hospital policies on sharing information publicly, rules about passwords and authentication, and any administrative decisions related to privacy.

Physical compliance deals with real-world scenarios, including whether physical records are kept in a location inaccessible to the public and whether on-premises servers and endpoints are secure either by physical barrier or high-quality access control measures such as badges, passwords, or biometrics for computer access.

When considering using Microsoft 365 and SharePoint in a healthcare setting, all three areas of compliance are important, including the technical aspects of Microsoft 365, the administrative policies surrounding the use of SharePoint, and the physical compliance of the equipment.

What are the technical safeguards of HIPAA?

According to HIPAA regulations, organizations must maintain safeguards that are “reasonable and appropriate” in all three major areas of compliance. To be considered reasonable and appropriate, safeguards must protect electronic health records (EHR) from anticipated threats or disclosures.

However, HIPAA does not provide a specific definition or requirements for these safeguards.

On the technical side, HIPAA outlines three types of technical safeguards:

  1. Access control
  2. Safeguards for data at rest
  3. Safeguards for data in motion

Access Control

Access control is a simple concept: data should only be accessible to those who have been granted access.

An entirely open cloud workspace, like Google Workspace, fails to meet this requirement, while a traditional folder-based network with rights management typically satisfies the necessary technical safeguards.

Microsoft 365 and SharePoint can be configured as environments that comply with HIPAA regulations by implementing appropriate access control measures. Therefore, these products can be considered reasonably HIPAA-compliant in this regard.

Data At Rest

Data at rest refers to data that is stored on a server, whether it’s an on-premises server or a cloud server like the ones provided by Microsoft. This data is not being used actively but still needs to be maintained by your organization for use at a later time.

To safeguard data at rest, encryption and access control are once again essential. In addition, physical access control is also important.

An unguarded server in an unlocked room may violate HIPAA regulations if it’s breached. In such a case, it can be argued that the organization did not implement “reasonable and appropriate” safeguards such as locks and access control.

Data In Motion

Protecting data in motion (and data in use) can pose a greater challenge than protecting data at rest. Data in motion refers to data that is being transferred between systems, while data in use refers to data that is actively being processed by a system or human operator.

Safeguards for data in motion usually involve data encryption, access control (both on systems and specific data), and the use of metadata or anonymized data for research and analytics purposes, instead of raw data.

How does an IT provider assist in technical HIPAA compliance?

At this point, it should be evident that utilizing Microsoft 365 or SharePoint in a compliant manner necessitates some technical deliberations. This is where the services of an IT provider come in handy.

We aid healthcare organizations in creating and executing the technical safeguards mandated and advised by HIPAA regulations. Our objective is to design an environment where healthcare practitioners and support staff can focus solely on their duties without the need to concern themselves with the compliance of all aspects of their technology.

A reputable IT provider can offer cybersecurity measures, conduct risk assessments, and provide ongoing audits to ensure clients are covered and continue to meet HIPAA compliance standards.

Is a BAA needed with Microsoft?

HIPAA regulations require healthcare organizations to establish a Business Associate Agreement (BAA) with any business associate that accesses protected health information (PHI).

Microsoft declares that it “will establish BAAs with its covered entity and business associate customers,” but emphasizes that the BAA alone does not guarantee compliance with HIPAA or HITECH.

According to Microsoft, your company’s compliance program and internal processes are the key factors in achieving HIPAA compliance, and that “your specific use of Microsoft services aligns with your obligations under HIPAA.”

Moreover, obtaining a BAA from Microsoft is not automatic. If your organization requires a BAA with Microsoft, you will need to contact the company directly (or through your IT provider).

Microsoft 365 and SharePoint HIPAA Compliance Is Complex. We Can Help.

By now, it should be clear that utilizing Microsoft 365 and SharePoint in a HIPAA-compliant manner requires your organization to take the necessary steps to achieve compliance.

This can quickly become complex and overwhelming. That’s where we come in. We are a specialized IT and cybersecurity organization that can design and implement the technical safeguards and policies required for HIPAA compliance with Microsoft 365, SharePoint, and various other applications and services.

If you’re looking to move towards a cloud-based future without the added stress of compliance, get in touch with us today. We’ll help you make the transition from where you are now to where you want to be.