SharePoint for Healthcare: HIPAA Compliance, ePHI Protection & Implementation Guide

SharePoint in Healthcare: Opportunity and Obligation

Healthcare organizations generate and manage an enormous volume of documentation — clinical policies, administrative records, HR files, compliance documentation, quality improvement programs, patient education materials, and research data. SharePoint Online is an excellent platform for all of this — but healthcare deployments must be architected with HIPAA compliance as the foundational design principle, not an afterthought.

This guide covers the technical and governance requirements for deploying SharePoint in healthcare settings, protecting electronic Protected Health Information (ePHI), and building an audit trail that satisfies HIPAA Security Rule requirements.

HIPAA Security Rule: SharePoint Relevance

The HIPAA Security Rule (45 CFR Part 164) applies to electronic PHI (ePHI) stored, processed, or transmitted by Covered Entities and Business Associates. For SharePoint deployments at healthcare organizations, the relevant safeguards are:

Administrative Safeguards (§164.308)

• Security Officer: Designate a HIPAA Security Officer responsible for SharePoint ePHI controls
• Workforce Training: All users with SharePoint access to ePHI must receive HIPAA training
• Access Management: Implement formal process for granting, reviewing, and revoking access to ePHI libraries
• Audit Controls: See §164.312(b) — audit logging required (covered below)
• Contingency Plan: Data backup and recovery procedures for ePHI in SharePoint

Physical Safeguards (§164.310)

• Microsoft's data centers are HIPAA-compliant (covered by BAA)
• Workstation access controls apply — ensure users access SharePoint only from managed devices via Intune conditional access

Technical Safeguards (§164.312)

• Access Control: Unique user identification, automatic logoff, encryption
• Audit Controls: Hardware, software, and procedural mechanisms to record and examine activity
• Integrity: Mechanisms to authenticate ePHI has not been altered
• Transmission Security: Encryption of ePHI in transit (HTTPS/TLS — SharePoint Online provides this by default)

Microsoft's HIPAA Business Associate Agreement

Before storing any ePHI in SharePoint Online, your organization must have a signed Business Associate Agreement (BAA) with Microsoft.

Obtaining the Microsoft BAA

Microsoft's BAA is available through the Microsoft Products and Services Data Protection Addendum (DPA), which covers HIPAA for Microsoft 365 services including SharePoint Online, OneDrive, Exchange Online, Teams, and Azure.

Automatic BAA via Volume Licensing: Organizations with Microsoft 365 Enterprise agreements automatically receive the DPA (which includes HIPAA BAA coverage) as part of the agreement. Verify with your Microsoft account team.

Review coverage: The Microsoft BAA covers SharePoint Online but does NOT automatically cover all Microsoft services. Confirm coverage for every service where ePHI may reside.

Services Covered by Microsoft HIPAA BAA (as of 2026)

• Microsoft 365 (including SharePoint Online, Exchange Online, Teams)
• Azure (including Azure Blob Storage, Azure SQL, Azure AD)
• Power Platform (Power Automate flows processing ePHI, Power Apps)
• Microsoft Purview (audit logs, DLP, retention for ePHI)

Identifying ePHI in SharePoint

Before implementing controls, identify where ePHI currently exists or may be stored:

ePHI in SharePoint typically found in:

• Policies and procedures that include patient identifiers in examples
• Quality improvement programs with case data
• Employee health records (occupational health)
• Research documentation (IRB-approved studies)
• Human subjects training records
• Patient grievance documentation
• Medical staff credentialing files

ePHI typically NOT in SharePoint (but should be confirmed):

• Active patient records (should be in EMR/EHR)
• Clinical images (PACS system)
• Lab results (LIS system)
• Billing data (PM system)

SharePoint Site Architecture for HIPAA Compliance

Separate ePHI from Non-ePHI

Create a clear architectural separation:

```

SharePoint Environment Architecture (Healthcare)

├── Non-ePHI Hub (no special controls needed)

│ ├── HR Policy Library (no PHI)

│ ├── IT Documentation

│ ├── Marketing & Communications

│ └── General Administrative Sites

├── ePHI Hub (HIPAA-controlled zone)

│ ├── Quality Improvement Data (limited ePHI)

│ ├── Occupational Health Records

│ ├── Medical Staff Affairs

│ ├── Research Documentation (IRB-approved)

│ └── Patient Grievances Archive

└── Restricted Hub (most sensitive)

├── Executive Compensation (not ePHI but restricted)

├── Legal Hold Repository

└── Incident Investigation Files

```

ePHI Site Configuration Requirements

For any SharePoint site or library containing ePHI:

• No broad access: All ePHI sites must have limited, role-based membership (not "Everyone in the company")
• No external sharing: External sharing disabled at site level
• No anonymous access: Anonymous access disabled (tenant-level default should already be off)
• Audit logging: Site audit log retention minimum 6 years per HIPAA (use E5 Compliance + 10-year add-on for records retention)
• Sensitivity label: "HIPAA - ePHI" label applied, encrypting content and logging access
• DLP policy: DLP policy scanning for 18 HIPAA identifiers active on these sites

Microsoft Purview DLP for PHI Detection

Microsoft Purview Data Loss Prevention includes built-in classifiers for HIPAA-related data types. Configure DLP to detect and protect PHI in SharePoint:

HIPAA Sensitive Information Types in Purview

Built-in SITs (Sensitive Information Types) relevant to healthcare:

• US Social Security Number (SSN)
• US Driver's License Number
• US Individual Taxpayer Identification Number (ITIN)
• Medical Terms (conditions, medications, procedures)
• Drug Enforcement Agency (DEA) Number
• US Health Insurance Claim Number
• National Provider Identifier (NPI)

Configuring HIPAA DLP Policy for SharePoint

```powershell

# Create DLP policy for PHI in SharePoint

Connect-IPPSSession

New-DlpCompliancePolicy `

-Name "HIPAA PHI Protection - SharePoint" `

-SharePointLocation "https://contoso.sharepoint.com/sites/ePHI-Hub" `

-Mode Enable

New-DlpComplianceRule `

-Policy "HIPAA PHI Protection - SharePoint" `

-Name "Detect PHI - Block External Sharing" `

-ContentContainsSensitiveInformation @(

@{Name="U.S. Social Security Number (SSN)"; minCount="1"},

@{Name="U.S. Drug Enforcement Agency Number"; minCount="1"},

@{Name="Medical Terms"; minCount="3"}

) `

-BlockAccess $true `

-BlockAccessScope PerUser `

-NotifyUser Owner,LastModifier `

-NotifyEmailMessage "This document may contain PHI. External sharing has been blocked."

```

Sensitivity Labels for ePHI

Configure Microsoft Purview sensitivity labels specifically for ePHI:

HIPAA Sensitivity Label Configuration

| Label | Encryption | Access Restriction | Marking |

|-------|-----------|-------------------|---------|

| HIPAA - ePHI | Yes (AES-256) | Authorized healthcare staff only | Header: CONTAINS ePHI |

| HIPAA - De-identified | No | All staff | Header: De-identified Health Data |

| HIPAA - Research | Yes | Research team + IRB staff | Header: RESEARCH USE ONLY |

```powershell

# Create HIPAA ePHI sensitivity label

Connect-IPPSSession

New-Label `

-Name "HIPAA-ePHI" `

-DisplayName "HIPAA - ePHI" `

-Tooltip "Apply to documents containing electronic Protected Health Information" `

-EncryptionEnabled $true `

-EncryptionProtectionType Template `

-EncryptionRightsDefinitions "[email protected]:VIEW,PRINT,EXTRACT,REPLY,REPLYALL,FORWARD,OBJMODEL" `

-ContentMarkingUpHeaderEnabled $true `

-ContentMarkingUpHeaderText "CONTAINS ePHI - HIPAA PROTECTED" `

-ContentMarkingUpHeaderFontColor "#FF0000"

```

Access Control for ePHI Libraries

Minimum Necessary Standard

HIPAA's Minimum Necessary standard (§164.514(d)) requires that access to PHI be limited to the minimum necessary to accomplish the intended purpose.

Apply this to SharePoint:

• Role-based access groups (not individual user permissions)
• No "read all" access to ePHI repositories for general staff
• Annual access reviews for all ePHI site memberships
• Just-in-time (JIT) access for break-glass scenarios using Azure AD PIM

```powershell

# Set up Privileged Identity Management for ePHI site access

# (Requires Azure AD Premium P2 or M365 E5)

# Assign site owner role as eligible (not permanent) via PIM

# Users must request activation for time-limited access

# All activations are logged in Azure AD audit log

Connect-MgGraph -Scopes "PrivilegedAccess.ReadWrite.AzureResources"

$directoryRole = Get-MgDirectoryRole | Where-Object DisplayName -eq "SharePoint Service Administrator"

# Create eligible assignment (user must activate to gain access)

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest `

-RoleDefinitionId $directoryRole.RoleTemplateId `

-PrincipalId "user-object-id-here" `

-DirectoryScopeId "/" `

-Action AdminAssign `

-ScheduleInfo @{ StartDateTime = Get-Date; Expiration = @{ Type = "NoExpiration" } } `

-Justification "Break-glass access for ePHI site administration"

```

HIPAA Audit Controls for SharePoint (§164.312(b))

SharePoint audit logging must capture:

• All access to ePHI (read, edit, download)
• All permission changes on ePHI sites
• All file deletions in ePHI libraries
• All external sharing events (should be zero for ePHI sites)

Configuration:

```powershell

# Verify audit logging is enabled

Connect-IPPSSession

$auditStatus = Get-AdminAuditLogConfig

Write-Output "Unified Audit Log Enabled: $($auditStatus.UnifiedAuditLogIngestionEnabled)"

# Create 7-year retention policy for ePHI audit events (HIPAA records retention)

New-UnifiedAuditLogRetentionPolicy `

-Name "HIPAA ePHI Audit Retention - 7 Years" `

-Description "Retain audit logs for all ePHI site activity 7 years per HIPAA" `

-RecordTypes SharePoint, SharePointFileOperation, SharePointSharingOperation `

-RetentionDuration SevenYears `

-Priority 1

# Alert on any external sharing attempt on ePHI sites (should never occur)

New-ProtectionAlert `

-Name "ePHI External Sharing Attempt" `

-Category DataAdministration `

-Severity High `

-Operation SharingInvitationCreated, AnonymousLinkCreated `

-NotifyUser "[email protected]", "[email protected]"

```

Clinical Use Cases for SharePoint

Policy and Procedure Management

SharePoint excels for clinical policy management:

• Version-controlled policy library with effective dates
• Acknowledgment workflows (staff must confirm they've read policy)
• Automatic expiry alerts when policy review date approaches
• Audit trail of who accessed each policy and when

Quality Improvement Program Documentation

QI programs generate significant documentation. SharePoint provides:

• Structured document library per QI initiative
• Dashboard pages showing initiative status using Power BI web part
• Team collaboration on QI forms and data collection
• Automated reports distributed via Power Automate

Medical Staff Credentialing

Credentialing files (provider privileges, licenses, CME records) can be managed in SharePoint:

• Document library per provider with standard folders
• Expiry date columns with automated renewal reminders
• Restricted access (credentialing staff only)
• Integration with credentialing software via Power Automate

Employee Health Records

Occupational health records for employees are ePHI and require HIPAA controls:

• Separate SharePoint site with access restricted to Occupational Health staff only
• Sensitivity label: HIPAA - ePHI applied to all documents
• Annual access review (least privilege)
• 30-year retention (OSHA requirement for exposure records)

HIPAA Compliance Checklist for SharePoint

• [ ] Microsoft BAA executed (verify with legal/procurement)
• [ ] ePHI identified and mapped to SharePoint sites/libraries
• [ ] ePHI sites have restricted access (role-based, no broad access)
• [ ] External sharing disabled for all ePHI sites
• [ ] Sensitivity labels deployed: HIPAA - ePHI label encrypts documents
• [ ] DLP policy active: blocks external sharing of PHI-containing documents
• [ ] Audit logging enabled with 6+ year retention policy
• [ ] Conditional Access policy: managed devices only for ePHI sites
• [ ] Annual access reviews scheduled in Azure AD Identity Governance
• [ ] HIPAA Security Officer designated and documented
• [ ] Staff HIPAA training includes SharePoint ePHI handling
• [ ] Incident response procedure documented for ePHI breach in SharePoint

Conclusion

SharePoint Online is HIPAA-compatible when properly configured — but it requires deliberate architecture, sensitivity labels, DLP policies, access controls, and audit logging. The Microsoft BAA provides the contractual foundation; the controls described in this guide provide the technical implementation.

EPC Group has deployed HIPAA-compliant SharePoint environments for health systems, physician groups, healthcare technology companies, and medical device manufacturers. Contact us for a HIPAA SharePoint assessment.