It may be one of the most popular cloud services worldwide, but is SharePoint HIPAA compliant? Microsoft’s SharePoint Online service offers a collaborative cloud-based platform for the storage, management, and sharing of documents. It allows multiple users to view and edit a document simultaneously from various devices and can be integrated with other popular Microsoft applications in most Microsoft 365 and Office 365 enterprise plans.
First and foremost, before any HIPAA covered entity (CE) uses a product from a third-party vendor, they must ensure that a business associate agreement (BAA) is entered into with that vendor. There are some exceptions to this, as covered by the HIPAA Conduit Exception Rule, but this rule does not apply to SharePoint. These BAAs have several functions, including stipulating how the business associate (BA) will use the protected health information (PHI) shared by the CE, what safeguards will be in place to protect the data, and what will happen if a breach is detected.
Therefore, before any PHI is uploaded to SharePoint Online, the CE (or their BA) must ensure that they have entered a BAA with Microsoft. Luckily, Microsoft has stipulated that they are willing to enter into BAAs that cover a number of its products, including most Microsoft 365 and Office 365 enterprise plans. If the SharePoint Online service is included in an enterprise plan, it is automatically covered by the enterprise plan BAA.
Further Steps to Make SharePoint HIPAA Compliant
The Business Associate Agreement is only one aspect of HIPAA compliance. Covered Entities and Business Associates must ensure the application is configured to comply with the Security Rule in order to make SharePoint HIPAA compliant. The configuration changes Covered Entities and Businesses Associates should make include:
- Adding permissions to group folders to comply with the Information Access Management standard.
- Activating Advanced Threat Protection for SharePoint Online to guard against malicious attachments.
- Add data retention and data restore policies in order to comply with the Contingency Plan safeguard.
- Configure an idle session threshold (via Shell) to comply with the automatic logoff implementation specification.
It is also important that members of the workforce are trained in how to use SharePoint compliantly. Members of the workforce included in SharePoint groups should be provided with platform-specific training, while all other members of the workforce should be guided on permissible uses and disclosures during Privacy Rule training, and online security during Security Rule-mandated awareness training. If your organization has any questions about making SharePoint HIPAA compliant, help is available from Microsoft support.