Compliance

SharePoint for Healthcare: HIPAA PHI Lifecycle & Protection

How hospitals, health plans, and clinical research organizations manage the full PHI lifecycle in SharePoint Online and OneDrive. Permissions, labels, DLP, audit, and OCR-ready evidence.

SharePoint Support TeamApril 21, 202617 min read
SharePoint for Healthcare: HIPAA PHI Lifecycle & Protection - Compliance guide by SharePoint Support
SharePoint for Healthcare: HIPAA PHI Lifecycle & Protection - Expert Compliance guidance from SharePoint Support

The PHI Lifecycle in SharePoint

PHI does not arrive in SharePoint at a single moment and stay there in one place. It moves through a lifecycle: creation, collaboration, sharing, derivative use, retention, and disposition. Every stage has a HIPAA technical safeguard obligation, and every stage produces audit evidence the OCR may ask for.

SharePoint architecture diagram showing hub sites, team sites, and content structure
Enterprise SharePoint architecture with hub sites and connected team sites

This brief is the healthcare companion to our SharePoint compliance pillar. It focuses on the specific PHI lifecycle patterns that hospitals, health systems, health plans, and clinical research organizations need to manage in SharePoint Online and OneDrive for Business.

Stage 1: PHI Entry Points

Before enabling Copilot or broad external sharing on SharePoint, map every PHI entry point:

  • Clinical documentation drafted in Word before EHR entry
  • Care coordination SharePoint sites used by multi-disciplinary teams
  • Quality and accreditation workpapers (Joint Commission, CMS, HEDIS)
  • Population health reports and registries
  • Patient communications drafted in Word, Outlook, or SharePoint pages
  • Migrated clinical file shares from legacy on-premises storage
  • Meeting notes and transcripts from clinical committees (Tumor Boards, M&M, Quality Councils)
  • Shared OneDrive folders when clinicians collaborate on documents
  • SharePoint intranet content such as clinical policy libraries that reference PHI

Document the entry points in a PHI inventory maintained by the HIPAA Privacy and Security Officers. Update when new clinical departments adopt SharePoint or when new integrations bring PHI into the tenant.

Stage 2: Site Classification and Permissions

The first compliance control after mapping is site classification. Apply Purview sensitivity labels at the site level with policies that flow down to files:

  • Highly Confidential — PHI-Clinical for sites containing clinical PHI
  • Highly Confidential — PHI-Administrative for sites with PHI used for TPO (Treatment, Payment, Operations)
  • Highly Confidential — Research-Limited-Data-Set for IRB-approved research sites
  • Confidential-Operational for clinical operations content without PHI

Site-level labels drive tenant policies: external sharing restrictions (block "Anyone with the link" for PHI sites), Conditional Access device-compliance requirements, and private-vs-public site behavior. File-level labels persist through downloads and sharing.

Permissions for PHI sites should use role-based security groups provisioned from the authoritative HR or provider directory source. Avoid direct user assignment and broken inheritance. Schedule quarterly Microsoft Entra ID access reviews for every PHI site.

Stage 3: Collaboration Controls

Collaboration patterns differ by clinical workflow. Apply controls accordingly:

  • Clinical care teams need Teams channels tied to SharePoint sites with membership scoped to the attributed provider panel. Sensitivity label Highly Confidential — PHI-Clinical. Disable external sharing entirely.
  • Administrative workgroups processing PHI for TPO need separate sites with narrower DLP rules. External sharing allowed only through approved business associate channels with link expiration at 30 days.
  • Research teams operating under an IRB protocol need per-protocol sites with the Research-Limited-Data-Set label. Disable Copilot unless the protocol explicitly approves AI-assisted analysis.
  • Quality and compliance workgroups need dedicated sites with Highly Confidential — PHI-Administrative. Preservation Lock retention to meet Joint Commission requirements.

Stage 4: DLP and Copilot Posture

Purview DLP for SharePoint and OneDrive should detect HIPAA identifiers (SSN, MRN, DEA, patient name + DOB, address + procedure code, etc.) and trigger policy actions:

  • Warn users who attempt to externally share PHI content
  • Block sharing when content is labeled Highly Confidential — PHI-Clinical
  • Log all detections to Purview audit for six-year retention
  • Alert compliance on high-risk patterns (bulk export, new external sharing)

Copilot for SharePoint, Copilot Chat, and Copilot Agents in a HIPAA environment require specific gates:

  • Oversharing remediated on SharePoint, OneDrive, and Teams
  • Label coverage above 70 percent on clinical content
  • Purview Copilot audit enabled with six-year retention
  • DLP policies scoped to Copilot for HIPAA identifiers
  • Clinical informatics policy naming safe and unsafe Copilot use cases
  • Training and attestation before Copilot licensing

Skipping any step produces a HIPAA incident within 60 days of pilot.

Apply Purview retention policies per site label:

  • PHI-Clinical — Retain 10 years from patient record closure (aligned to state medical record retention where longer than HIPAA baseline)
  • PHI-Administrative — Retain 6 years from event date for HIPAA audit obligations
  • Research-Limited-Data-Set — Retain per IRB protocol (often 6–10 years post-study closure)
  • Confidential-Operational — Retain 3–7 years depending on business function

For litigation and OCR investigations, enable Purview Preservation Lock or legal hold on the scoped sites. Document the hold in the legal matter management system and in the SharePoint governance register.

Stage 5a: Handling Migrated Clinical File Shares

Most hospitals sit on top of years of migrated clinical file-share content. A 2,000-user migration from an on-prem file server to SharePoint typically moves 5–50 terabytes of content, of which 10–30 percent has PHI. The historical permissions from the file server rarely translate cleanly to SharePoint group-based security, and the first Copilot rollout exposes the gaps.

The remediation pattern:

  • Use Microsoft Graph to produce a tenant-wide permission inventory
  • Identify SharePoint sites created as file-server migration targets
  • Apply Highly Confidential — PHI-Clinical labels to sites known to contain PHI
  • Remove inherited "Everyone" and "All Employees" permissions from the migrated sites
  • Migrate any remaining file-server content to appropriately labeled destinations
  • Decommission migration service accounts and admin groups no longer needed

This work is not optional for HIPAA compliance once Copilot is in scope; it is the single highest-impact remediation for most hospital Copilot rollouts.

Stage 6: OCR-Ready Evidence

If OCR opens a HIPAA investigation that involves SharePoint, you need an evidence package on short notice. Pre-build it:

  • Microsoft BAA acceptance letter and current Product Terms reference
  • Tenant-level SharePoint settings snapshot
  • PHI site inventory with sensitivity labels, permissions, and ownership
  • Purview sensitivity label policy exports
  • DLP policy exports and alert history
  • Purview unified audit samples for the investigation window
  • Copilot settings and Purview Copilot audit samples if enabled
  • Conditional Access policies applicable to SharePoint and OneDrive
  • Access review history from Entra ID
  • Workforce training records for SharePoint HIPAA awareness

Store the package template in a dedicated compliance SharePoint site with Preservation Lock and run quarterly tabletop drills.

Reference Architecture: 1,500-Bed Health System

A typical 1,500-bed multi-hospital health system SharePoint deployment operates with six layers:

  • Identity — Entra ID synced from the provider directory and HR system of record; Conditional Access enforcing MFA and device compliance; sensitivity label-driven privacy settings on sites.
  • Site topology — PHI-Clinical, PHI-Administrative, Research-Limited-Data-Set, and Confidential-Operational site templates, each with default sensitivity labels and approved permissioning patterns. Every new site is provisioned from a template, not ad hoc.
  • Permissions and access reviews — Security-group-driven access; quarterly Entra ID access reviews on all PHI sites; automated offboarding workflow to remove departing clinicians within 24 hours.
  • Sharing controls — External sharing disabled entirely for PHI-Clinical; limited to approved BA domains for PHI-Administrative; guest link expiration at 30 days for PHI, 90 days for Confidential.
  • DLP and monitoring — Purview DLP detecting HIPAA identifiers with block actions on PHI sites; Purview unified audit feeding Sentinel with six-year retention; analytic rules for mass download, external sharing, and first-time access to PHI sites.
  • Copilot posture — Copilot for SharePoint enabled only for administrative users initially; extended to clinicians in Wave 3 after oversharing remediation is fully complete.

Business Associate Considerations Beyond Microsoft

Microsoft is the primary business associate covering the SharePoint platform and OneDrive, but hospitals typically have adjacent BAs whose agreements also apply to SharePoint content:

  • Microsoft 365 backup ISV (AvePoint, Veeam, Metallic, etc.) capturing SharePoint content snapshots — requires BAA
  • Migration vendors that move content into SharePoint — requires BAA during active migration
  • eDiscovery vendors used for OCR response — requires BAA
  • Archive vendors for long-term retention of SharePoint-derived records — requires BAA
  • Purview Customer Key providers or key-management-as-a-service vendors, if used

For every BA, confirm the BAA is current, names SharePoint and OneDrive explicitly, and covers AI-assisted processing if the vendor applies AI to PHI. BAAs predating 2023 frequently need re-execution to cover AI scenarios.

HIPAA Risk Analysis Integration

HIPAA 164.308(a)(1) requires a formal risk analysis. SharePoint should be explicitly scoped in the risk analysis with specific sections covering:

  • Inventory of PHI-bearing sites and libraries
  • Current oversharing posture with remediation plan
  • Sensitivity label coverage metric (target 70 percent+ on PHI sites)
  • DLP policy coverage and enforcement status
  • Audit log retention and SIEM integration status
  • Copilot enablement scope and posture
  • Outstanding POA&M items related to SharePoint
  • Risk scores for each identified vulnerability with remediation timeline

Update the risk analysis annually or whenever a significant change occurs (new Copilot workload, new Business Associate, new major site provisioning).

HIPAA environments occasionally receive OCR subpoenas or civil litigation requests that reach SharePoint content. Build a legal-hold workflow that:

  • Identifies the scope (specific users, sites, or time windows) from the subpoena
  • Places Purview legal hold or Preservation Lock on the in-scope content
  • Exports requested content via eDiscovery with chain-of-custody documentation
  • Retains the hold until formal release from legal counsel

Document the workflow in the privacy office procedures and test annually. Legal-hold execution should complete within 48 hours of counsel instruction for most SharePoint content.

Frequently Asked Questions

How does PHI typically enter SharePoint?

Clinical documentation drafted in Word, care coordination sites, quality workpapers, population health reports, patient communications, migrated file shares, clinical meeting notes, and shared OneDrive folders. Map every entry point before broader Copilot enablement.

Do I need a separate SharePoint site for PHI?

Yes. Separate PHI-bearing sites classified with a Highly Confidential — PHI sensitivity label simplify audits, reduce breach blast radius, and enable cleaner DLP and Copilot governance.

How do I handle HIPAA minimum-necessary in SharePoint?

Layer clean permissions, role-based access groups, site-level sensitivity labels, DLP for HIPAA identifiers, and quarterly access reviews. Copilot is an additional layer only after the base layers are in place.

How long must SharePoint audit logs be retained for HIPAA?

Six years minimum. Purview Audit Premium or continuous SIEM export with six-year retention.

What does OCR expect during an investigation?

BAA acceptance, tenant settings, PHI site inventory, permission exports, sensitivity label and DLP policies, Purview audit samples, Copilot settings, Conditional Access policies, and training records.

Can clinicians use Copilot for SharePoint with patient data?

Yes, after oversharing remediation, 70 percent+ label coverage, Purview Copilot audit enabled, DLP policies for HIPAA identifiers, and training attestation.

How should research data be handled in SharePoint?

Per-protocol dedicated sites labeled Research-Limited-Data-Set or Research-PHI, IRB-scoped membership, disabled Copilot unless protocol-approved, and retention per IRB protocol (often 6–10 years post-study).

Share this article:

Written by the SharePoint Support Team

Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience

Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.

Frequently Asked Questions

How does PHI typically enter SharePoint?
PHI enters SharePoint through clinical documentation drafted in Word before EHR entry, care coordination SharePoint sites, quality workpapers, population health reports, patient communications, migrated clinical file shares, meeting notes from clinical committees, and shared OneDrive folders of clinicians. Map every entry point before enabling Copilot or broad external sharing.
Do I need a separate SharePoint site for PHI?
Separate PHI-bearing sites from general business sites, classified with a Highly Confidential — PHI sensitivity label that drives sharing restrictions, encryption, and DLP. Mixing PHI with non-PHI in a single site substantially increases audit complexity and breach blast radius. Dedicated sites simplify access reviews and evidence production.
How do I handle the HIPAA minimum-necessary standard in SharePoint?
Minimum-necessary is achieved through layered controls: clean permissions hygiene at the site and library level, role-based access groups aligned to clinical function, site-level sensitivity labels that restrict external sharing on PHI content, DLP policies that detect HIPAA identifiers and block or warn, and quarterly access reviews. Copilot adds a layer — enable only after label coverage and DLP are in place.
How long must SharePoint audit logs be retained for HIPAA?
Six years minimum from event date. Purview Audit (Premium) supports up to ten years natively, or export events continuously to Microsoft Sentinel with a six-year retention policy. Default 90/180-day Purview retention is not sufficient for HIPAA.
What does OCR expect during a SharePoint-related investigation?
Expect requests for: BAA acceptance evidence, tenant-level SharePoint settings, site inventory with PHI sites identified, permission exports for the investigation scope, sensitivity label policies, DLP policies and alert history, Purview audit samples for the investigation window, Copilot settings if enabled, and workforce training records. Pre-build the evidence package so it can be produced in hours, not weeks.
Can clinicians use Copilot for SharePoint with patient data?
Copilot for SharePoint is BAA-eligible and can be used with PHI in the commercial Microsoft 365 cloud — but only after oversharing is remediated, label coverage exceeds 70 percent on clinical content, Purview Copilot audit is enabled with six-year retention, DLP policies for HIPAA identifiers are in place, and clinicians are trained on prompt hygiene. Skipping any step reliably produces an incident.
How should research data be handled in SharePoint?
Research PHI falls under IRB-approved protocols and data use agreements in addition to HIPAA. Use dedicated SharePoint sites per IRB protocol, label content as Research-Limited-Data-Set or Research-PHI depending on scope, restrict membership to IRB-approved investigators, disable Copilot for research sites unless explicitly approved in the protocol, and retain audit logs for the protocol retention period (often 6–10 years post-study).

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.

Continue Reading in Compliance