The PHI Lifecycle in SharePoint
PHI does not arrive in SharePoint at a single moment and stay there in one place. It moves through a lifecycle: creation, collaboration, sharing, derivative use, retention, and disposition. Every stage has a HIPAA technical safeguard obligation, and every stage produces audit evidence the OCR may ask for.
This brief is the healthcare companion to our SharePoint compliance pillar. It focuses on the specific PHI lifecycle patterns that hospitals, health systems, health plans, and clinical research organizations need to manage in SharePoint Online and OneDrive for Business.
Stage 1: PHI Entry Points
Before enabling Copilot or broad external sharing on SharePoint, map every PHI entry point:
- Clinical documentation drafted in Word before EHR entry
- Care coordination SharePoint sites used by multi-disciplinary teams
- Quality and accreditation workpapers (Joint Commission, CMS, HEDIS)
- Population health reports and registries
- Patient communications drafted in Word, Outlook, or SharePoint pages
- Migrated clinical file shares from legacy on-premises storage
- Meeting notes and transcripts from clinical committees (Tumor Boards, M&M, Quality Councils)
- Shared OneDrive folders when clinicians collaborate on documents
- SharePoint intranet content such as clinical policy libraries that reference PHI
Document the entry points in a PHI inventory maintained by the HIPAA Privacy and Security Officers. Update when new clinical departments adopt SharePoint or when new integrations bring PHI into the tenant.
Stage 2: Site Classification and Permissions
The first compliance control after mapping is site classification. Apply Purview sensitivity labels at the site level with policies that flow down to files:
- Highly Confidential — PHI-Clinical for sites containing clinical PHI
- Highly Confidential — PHI-Administrative for sites with PHI used for TPO (Treatment, Payment, Operations)
- Highly Confidential — Research-Limited-Data-Set for IRB-approved research sites
- Confidential-Operational for clinical operations content without PHI
Site-level labels drive tenant policies: external sharing restrictions (block "Anyone with the link" for PHI sites), Conditional Access device-compliance requirements, and private-vs-public site behavior. File-level labels persist through downloads and sharing.
Permissions for PHI sites should use role-based security groups provisioned from the authoritative HR or provider directory source. Avoid direct user assignment and broken inheritance. Schedule quarterly Microsoft Entra ID access reviews for every PHI site.
Stage 3: Collaboration Controls
Collaboration patterns differ by clinical workflow. Apply controls accordingly:
- Clinical care teams need Teams channels tied to SharePoint sites with membership scoped to the attributed provider panel. Sensitivity label Highly Confidential — PHI-Clinical. Disable external sharing entirely.
- Administrative workgroups processing PHI for TPO need separate sites with narrower DLP rules. External sharing allowed only through approved business associate channels with link expiration at 30 days.
- Research teams operating under an IRB protocol need per-protocol sites with the Research-Limited-Data-Set label. Disable Copilot unless the protocol explicitly approves AI-assisted analysis.
- Quality and compliance workgroups need dedicated sites with Highly Confidential — PHI-Administrative. Preservation Lock retention to meet Joint Commission requirements.
Stage 4: DLP and Copilot Posture
Purview DLP for SharePoint and OneDrive should detect HIPAA identifiers (SSN, MRN, DEA, patient name + DOB, address + procedure code, etc.) and trigger policy actions:
- Warn users who attempt to externally share PHI content
- Block sharing when content is labeled Highly Confidential — PHI-Clinical
- Log all detections to Purview audit for six-year retention
- Alert compliance on high-risk patterns (bulk export, new external sharing)
Copilot for SharePoint, Copilot Chat, and Copilot Agents in a HIPAA environment require specific gates:
- Oversharing remediated on SharePoint, OneDrive, and Teams
- Label coverage above 70 percent on clinical content
- Purview Copilot audit enabled with six-year retention
- DLP policies scoped to Copilot for HIPAA identifiers
- Clinical informatics policy naming safe and unsafe Copilot use cases
- Training and attestation before Copilot licensing
Skipping any step produces a HIPAA incident within 60 days of pilot.
Stage 5: Retention, Disposition, and Legal Hold
Apply Purview retention policies per site label:
- PHI-Clinical — Retain 10 years from patient record closure (aligned to state medical record retention where longer than HIPAA baseline)
- PHI-Administrative — Retain 6 years from event date for HIPAA audit obligations
- Research-Limited-Data-Set — Retain per IRB protocol (often 6–10 years post-study closure)
- Confidential-Operational — Retain 3–7 years depending on business function
For litigation and OCR investigations, enable Purview Preservation Lock or legal hold on the scoped sites. Document the hold in the legal matter management system and in the SharePoint governance register.
Stage 5a: Handling Migrated Clinical File Shares
Most hospitals sit on top of years of migrated clinical file-share content. A 2,000-user migration from an on-prem file server to SharePoint typically moves 5–50 terabytes of content, of which 10–30 percent has PHI. The historical permissions from the file server rarely translate cleanly to SharePoint group-based security, and the first Copilot rollout exposes the gaps.
The remediation pattern:
- Use Microsoft Graph to produce a tenant-wide permission inventory
- Identify SharePoint sites created as file-server migration targets
- Apply Highly Confidential — PHI-Clinical labels to sites known to contain PHI
- Remove inherited "Everyone" and "All Employees" permissions from the migrated sites
- Migrate any remaining file-server content to appropriately labeled destinations
- Decommission migration service accounts and admin groups no longer needed
This work is not optional for HIPAA compliance once Copilot is in scope; it is the single highest-impact remediation for most hospital Copilot rollouts.
Stage 6: OCR-Ready Evidence
If OCR opens a HIPAA investigation that involves SharePoint, you need an evidence package on short notice. Pre-build it:
- Microsoft BAA acceptance letter and current Product Terms reference
- Tenant-level SharePoint settings snapshot
- PHI site inventory with sensitivity labels, permissions, and ownership
- Purview sensitivity label policy exports
- DLP policy exports and alert history
- Purview unified audit samples for the investigation window
- Copilot settings and Purview Copilot audit samples if enabled
- Conditional Access policies applicable to SharePoint and OneDrive
- Access review history from Entra ID
- Workforce training records for SharePoint HIPAA awareness
Store the package template in a dedicated compliance SharePoint site with Preservation Lock and run quarterly tabletop drills.
Reference Architecture: 1,500-Bed Health System
A typical 1,500-bed multi-hospital health system SharePoint deployment operates with six layers:
- Identity — Entra ID synced from the provider directory and HR system of record; Conditional Access enforcing MFA and device compliance; sensitivity label-driven privacy settings on sites.
- Site topology — PHI-Clinical, PHI-Administrative, Research-Limited-Data-Set, and Confidential-Operational site templates, each with default sensitivity labels and approved permissioning patterns. Every new site is provisioned from a template, not ad hoc.
- Permissions and access reviews — Security-group-driven access; quarterly Entra ID access reviews on all PHI sites; automated offboarding workflow to remove departing clinicians within 24 hours.
- Sharing controls — External sharing disabled entirely for PHI-Clinical; limited to approved BA domains for PHI-Administrative; guest link expiration at 30 days for PHI, 90 days for Confidential.
- DLP and monitoring — Purview DLP detecting HIPAA identifiers with block actions on PHI sites; Purview unified audit feeding Sentinel with six-year retention; analytic rules for mass download, external sharing, and first-time access to PHI sites.
- Copilot posture — Copilot for SharePoint enabled only for administrative users initially; extended to clinicians in Wave 3 after oversharing remediation is fully complete.
Business Associate Considerations Beyond Microsoft
Microsoft is the primary business associate covering the SharePoint platform and OneDrive, but hospitals typically have adjacent BAs whose agreements also apply to SharePoint content:
- Microsoft 365 backup ISV (AvePoint, Veeam, Metallic, etc.) capturing SharePoint content snapshots — requires BAA
- Migration vendors that move content into SharePoint — requires BAA during active migration
- eDiscovery vendors used for OCR response — requires BAA
- Archive vendors for long-term retention of SharePoint-derived records — requires BAA
- Purview Customer Key providers or key-management-as-a-service vendors, if used
For every BA, confirm the BAA is current, names SharePoint and OneDrive explicitly, and covers AI-assisted processing if the vendor applies AI to PHI. BAAs predating 2023 frequently need re-execution to cover AI scenarios.
HIPAA Risk Analysis Integration
HIPAA 164.308(a)(1) requires a formal risk analysis. SharePoint should be explicitly scoped in the risk analysis with specific sections covering:
- Inventory of PHI-bearing sites and libraries
- Current oversharing posture with remediation plan
- Sensitivity label coverage metric (target 70 percent+ on PHI sites)
- DLP policy coverage and enforcement status
- Audit log retention and SIEM integration status
- Copilot enablement scope and posture
- Outstanding POA&M items related to SharePoint
- Risk scores for each identified vulnerability with remediation timeline
Update the risk analysis annually or whenever a significant change occurs (new Copilot workload, new Business Associate, new major site provisioning).
Legal Hold and OCR Subpoena Response
HIPAA environments occasionally receive OCR subpoenas or civil litigation requests that reach SharePoint content. Build a legal-hold workflow that:
- Identifies the scope (specific users, sites, or time windows) from the subpoena
- Places Purview legal hold or Preservation Lock on the in-scope content
- Exports requested content via eDiscovery with chain-of-custody documentation
- Retains the hold until formal release from legal counsel
Document the workflow in the privacy office procedures and test annually. Legal-hold execution should complete within 48 hours of counsel instruction for most SharePoint content.
Related Reading
- SharePoint compliance governance pillar (HIPAA, SOC 2, FedRAMP, GLBA, ITAR)
- SharePoint for financial services: GLBA and recordkeeping
- SharePoint for government: ITAR and FedRAMP controls
- SharePoint governance framework for the enterprise
- SharePoint security hardening guide
Frequently Asked Questions
How does PHI typically enter SharePoint?
Clinical documentation drafted in Word, care coordination sites, quality workpapers, population health reports, patient communications, migrated file shares, clinical meeting notes, and shared OneDrive folders. Map every entry point before broader Copilot enablement.
Do I need a separate SharePoint site for PHI?
Yes. Separate PHI-bearing sites classified with a Highly Confidential — PHI sensitivity label simplify audits, reduce breach blast radius, and enable cleaner DLP and Copilot governance.
How do I handle HIPAA minimum-necessary in SharePoint?
Layer clean permissions, role-based access groups, site-level sensitivity labels, DLP for HIPAA identifiers, and quarterly access reviews. Copilot is an additional layer only after the base layers are in place.
How long must SharePoint audit logs be retained for HIPAA?
Six years minimum. Purview Audit Premium or continuous SIEM export with six-year retention.
What does OCR expect during an investigation?
BAA acceptance, tenant settings, PHI site inventory, permission exports, sensitivity label and DLP policies, Purview audit samples, Copilot settings, Conditional Access policies, and training records.
Can clinicians use Copilot for SharePoint with patient data?
Yes, after oversharing remediation, 70 percent+ label coverage, Purview Copilot audit enabled, DLP policies for HIPAA identifiers, and training attestation.
How should research data be handled in SharePoint?
Per-protocol dedicated sites labeled Research-Limited-Data-Set or Research-PHI, IRB-scoped membership, disabled Copilot unless protocol-approved, and retention per IRB protocol (often 6–10 years post-study).
Written by the SharePoint Support Team
Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience
Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.
Expert SharePoint Services
Frequently Asked Questions
How does PHI typically enter SharePoint?▼
Do I need a separate SharePoint site for PHI?▼
How do I handle the HIPAA minimum-necessary standard in SharePoint?▼
How long must SharePoint audit logs be retained for HIPAA?▼
What does OCR expect during a SharePoint-related investigation?▼
Can clinicians use Copilot for SharePoint with patient data?▼
How should research data be handled in SharePoint?▼
Need Expert Help?
Our SharePoint consultants are ready to help you implement these strategies in your organization.
Continue Reading in Compliance
Retention Labels in SharePoint: Compliance Made Easy
Implement retention labels to automate records management, meet compliance requirements, and manage content lifecycle in SharePoint.
ComplianceSharePoint Accessibility: WCAG Compliance Guide
Ensure your SharePoint sites are accessible to all users with this comprehensive WCAG compliance guide covering design principles, testing tools, and remediation strategies.
ComplianceSharePoint HIPAA Compliance Guide: Configuring Microsoft...
Complete guide to making SharePoint Online HIPAA compliant. Covers Business Associate Agreements, PHI controls, encryption, audit logging, access management, and Microsoft Purview configuration for healthcare organizations.
ComplianceSharePoint SOC 2 Compliance Guide: Configuring Microsoft...
Complete guide to SOC 2 Type II compliance for SharePoint Online in financial services. Covers access controls, encryption, audit logging, change management, availability, and Microsoft Purview configuration for SOC 2 audit readiness.
ComplianceSharePoint Retention Policies & Purview Guide
How to configure Microsoft Purview retention policies for SharePoint Online, including auto-apply labels, adaptive scopes, disposition reviews, and compliance strategies for regulated industries.
ComplianceSharePoint Compliance: HIPAA, SOX & FedRAMP Guide
Configure SharePoint Online for HIPAA, SOX, and FedRAMP compliance with DLP policies, audit trails, retention, encryption, and access controls.