SharePoint HIPAA Compliance Checklist: 25 Points Every...

The 25-Point SharePoint HIPAA Compliance Checklist

SharePoint Online can absolutely support HIPAA compliance. But "can support" and "is compliant" are very different things. I have audited over 50 healthcare organizations' SharePoint environments, and fewer than 20% pass all 25 of these checks on the first review. The most common finding: the BAA is signed, but the technical controls are not configured.

This checklist is organized in the order you should implement them. Skip nothing.

---

Foundation (Points 1-5)

1. Execute a Business Associate Agreement (BAA) with Microsoft

Priority: CRITICAL — nothing else matters without this

Microsoft will not sign a BAA automatically. You must request it through your Microsoft account team or enable it via the Microsoft 365 Admin Center under Settings > Org Settings > Security & Privacy. Without a BAA, your use of SharePoint Online for any PHI is a HIPAA violation regardless of every other control on this list.

Verification: Admin Center > Settings > Org Settings > Security & Privacy > HIPAA BAA should show "Active."

2. Confirm your Microsoft 365 tenant license tier supports HIPAA controls

Required: Microsoft 365 E3 minimum. E5 recommended for full compliance tooling.

E3 provides: sensitivity labels, basic DLP, standard audit logging, eDiscovery (Standard). E5 adds: advanced eDiscovery, extended audit log retention (1 year vs. 90 days), insider risk management, communication compliance, and auto-classification with trainable classifiers.

Healthcare organizations handling PHI at scale should budget for E5 or the E5 Compliance add-on ($12/user/month).

3. Enable Microsoft Purview sensitivity labels for PHI classification

Create a label taxonomy that identifies PHI explicitly.

Recommended label hierarchy:

• Public — No restrictions
• Internal — Organization-only access
• Confidential — Restricted access, no external sharing
• Highly Confidential - PHI — Encrypted, no external sharing, watermarked, access logged

The PHI label should apply: encryption at rest and in transit, prevent copy/paste to unauthorized apps, prevent printing without authorization, apply a visual marking ("CONFIDENTIAL - PHI"), and trigger automatic audit logging on every access event.

4. Configure Data Loss Prevention (DLP) policies for PHI patterns

DLP must scan SharePoint content for PHI identifiers and block unauthorized sharing.

Create DLP policies that detect:

• Social Security Numbers (SSN)
• Medical Record Numbers (MRN patterns)
• Health Insurance Claim Numbers
• Drug Enforcement Agency (DEA) numbers
• ICD-10 diagnosis codes in context
• Names combined with medical conditions or treatment information

Policy actions should: block external sharing of documents containing PHI, notify the compliance officer, require user justification for overrides, and log all matches for audit purposes.

5. Enable unified audit logging in Microsoft Purview

Every access, modification, sharing event, and permission change must be logged.

Verify in Purview Compliance Center > Audit that unified audit logging is turned ON (it is not enabled by default on all tenants). Configure audit log retention: 90 days minimum (E3 default), 1 year recommended (E5), 10 years available with audit log retention policies.

Critical events to monitor: FileAccessed, FileModified, FileDeleted, SharingSet, SharingRevoked, SensitivityLabelApplied, SensitivityLabelRemoved, DLPRuleMatch.

---

Access Controls (Points 6-12)

6. Implement least-privilege access for all PHI sites

No user should have access to PHI that is not required for their job function. Review every SharePoint site containing PHI and remove all "Everyone" and "Everyone except external users" grants. Replace broad access groups with role-specific security groups mapped to job functions.

7. Disable external sharing on all PHI-containing sites

SharePoint Admin Center > Sites > Select PHI site > Sharing > "Only people in your organization." This is non-negotiable for PHI. If external sharing is needed for specific business partners (e.g., insurance companies), use B2B guest access with MFA required and access reviews enabled.

8. Require Multi-Factor Authentication (MFA) for all users accessing PHI

Configure Conditional Access policies in Microsoft Entra ID (Azure AD) that require MFA for all SharePoint access from any device. For PHI sites specifically, consider requiring compliant devices only (managed by Intune) in addition to MFA.

9. Configure Conditional Access policies for PHI sites

Beyond MFA, configure: block access from unmanaged devices, block access from non-compliant devices, require specific geographic locations (block access from countries where your organization does not operate), session timeout after 30 minutes of inactivity for PHI sites.

10. Enable access reviews for PHI site permissions

Configure quarterly access reviews in Microsoft Entra ID Governance. Site owners must certify that every user with PHI access still requires it. Users whose access is not confirmed within the review period should be automatically removed.

11. Implement information barriers if required by your organization

If your organization has departments that should not share PHI (e.g., a hospital system where competing physician groups must maintain separation), configure information barriers in Microsoft Purview to prevent cross-segment sharing.

12. Disable anonymous sharing links organization-wide

SharePoint Admin Center > Sharing > disable "Anyone" links entirely. For HIPAA environments, even "People in your organization" links should be replaced with direct user/group sharing for PHI content.

---

Content Protection (Points 13-18)

13. Enable versioning and prevent permanent deletion of PHI documents

All PHI document libraries should have: versioning enabled (50+ versions retained), no user ability to permanently delete (admin-only), recycle bin retention set to maximum (93 days site + 93 days site collection). This prevents accidental or malicious PHI destruction.

14. Configure retention policies for PHI content

HIPAA requires covered entities to retain PHI for 6 years from date of creation or last effective date. Configure Microsoft Purview retention labels: "PHI - 6 Year Retention" label that prevents deletion for 6 years, then triggers a disposition review (not automatic deletion).

15. Enable Microsoft Purview eDiscovery holds for litigation readiness

Pre-configure eDiscovery cases and custodian holds for PHI sites so that if a breach occurs or a legal hold is needed, you can freeze all relevant content within minutes, not days.

16. Apply sensitivity labels automatically using trainable classifiers (E5)

If your organization has E5 licensing, train Microsoft Purview classifiers to automatically detect and label PHI content. This catches PHI that users fail to manually classify. Auto-labeling should apply the "Highly Confidential - PHI" label and trigger DLP policy evaluation.

17. Encrypt PHI documents at rest using customer-managed keys (optional, E5)

Microsoft encrypts all SharePoint content at rest by default. For organizations with heightened control requirements, Customer Key allows you to manage your own encryption keys via Azure Key Vault. This gives you the ability to revoke Microsoft's access to your data.

18. Block download of PHI to unmanaged devices

Configure Conditional Access App Control through Microsoft Defender for Cloud Apps to prevent users from downloading PHI documents to personal devices. Allow view-only access from unmanaged devices if needed for clinical workflows.

---

Monitoring and Incident Response (Points 19-22)

19. Configure alerts for PHI access anomalies

Set up Microsoft Defender for Cloud Apps policies that alert on: unusual download volume from PHI sites, access from new geographic locations, access outside business hours, bulk file operations (mass download, mass delete), and failed access attempts.

20. Establish a breach notification workflow

HIPAA requires notification within 60 days of discovering a breach affecting 500+ individuals. Pre-build a SharePoint-based incident response workflow: detection (automated alerts), assessment (compliance officer review), containment (revoke access, apply holds), notification (HHS, affected individuals, media if 500+), and documentation (incident report retained for 6 years).

21. Conduct quarterly PHI access audits

Pull audit logs quarterly and review: who accessed PHI sites, which documents were accessed most frequently, any sharing events involving PHI content, any DLP policy matches and user overrides, and any sensitivity label changes on PHI documents.

22. Test your incident response plan annually

Run a tabletop exercise simulating a PHI breach through SharePoint. Test that your alerts fire, your containment procedures work, your notification workflow executes, and your documentation meets HIPAA requirements.

---

Governance and Training (Points 23-25)

23. Document your SharePoint HIPAA compliance configuration

Maintain a written document (your "SharePoint HIPAA Compliance Manual") that maps every HIPAA requirement to the specific SharePoint configuration that satisfies it. This document is what you hand to auditors. It should include screenshots, policy names, configuration settings, and responsible parties.

24. Train all users with PHI access on SharePoint compliance procedures

Annual training must cover: how to identify PHI, how sensitivity labels work, what happens when DLP blocks sharing, how to report suspected breaches, and what constitutes a HIPAA violation in SharePoint.

25. Assign a SharePoint HIPAA compliance owner

One person (typically the Privacy Officer or CISO) must own the ongoing compliance of your SharePoint environment. This person reviews audit logs, manages access reviews, updates policies when requirements change, and serves as the point of contact for auditors.

---

Frequently Asked Questions

Is SharePoint Online HIPAA compliant out of the box?

No. SharePoint Online supports HIPAA compliance, but it requires extensive configuration. The platform provides the tools — sensitivity labels, DLP, audit logging, encryption, access controls — but you must configure and maintain them. An unconfigured SharePoint Online tenant is not HIPAA compliant.

Which Microsoft 365 license do I need for HIPAA compliance?

E3 minimum, E5 recommended. E3 provides basic sensitivity labels, DLP, and 90-day audit logs. E5 adds auto-classification, 1-year audit retention, advanced eDiscovery, insider risk management, and communication compliance. The E5 Compliance add-on ($12/user/month) is a cost-effective alternative to full E5.

Can I store PHI in SharePoint Online?

Yes, provided you have: (1) an active BAA with Microsoft, (2) sensitivity labels applied to PHI content, (3) DLP policies preventing unauthorized sharing, (4) audit logging enabled, (5) access controls configured on a least-privilege basis, and (6) all other controls on this checklist implemented. GCC and GCC High tenants provide additional isolation for organizations with heightened requirements.

How often should I audit my SharePoint HIPAA compliance?

Quarterly access reviews and audit log reviews are the minimum. Annual comprehensive assessments covering all 25 points on this checklist. Immediate reviews after any security incident, configuration change, or organizational change (mergers, new departments, new clinical systems).

What is the penalty for a HIPAA violation involving SharePoint?

HIPAA penalties range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. Willful neglect violations that are not corrected carry the highest penalties. Criminal penalties can include fines up to $250,000 and imprisonment. Beyond penalties, breach notification to affected individuals and media creates significant reputational damage.

Do I need GCC or GCC High for HIPAA compliance?

Commercial Microsoft 365 with a BAA is sufficient for most healthcare organizations. GCC is required for organizations working with certain government health agencies. GCC High is required for organizations handling CUI (Controlled Unclassified Information) or working under ITAR/EAR. Most hospitals, clinics, and health insurers operate on commercial tenants with a BAA.

Need expert guidance? [Contact our team](/contact) to discuss your requirements, or explore our [HIPAA compliance consulting](/services/sharepoint-consulting) to learn how we can help your organization.

Enterprise Implementation Best Practices

In our 25+ years of enterprise SharePoint consulting, we have guided hundreds of organizations through complex SharePoint initiatives spanning every industry and organizational scale. The implementation patterns that consistently deliver successful outcomes share common characteristics regardless of the specific feature or capability being deployed.

• Conduct a Thorough Requirements and Readiness Assessment: Before beginning any SharePoint implementation, invest time in understanding both the business requirements and the technical readiness of your environment. Assess your current content architecture, permission structures, integration dependencies, and user readiness. This assessment typically reveals 20 to 30 percent more complexity than initial stakeholder estimates suggest.

• Deploy in Controlled Phases with Pilot Groups: Start with a pilot group of 50 to 100 representative users from different departments and roles. Define measurable success criteria for each phase and collect structured feedback through surveys and interviews. Phased deployment reduces risk, builds organizational confidence, and generates the internal success stories that accelerate broader adoption.

• Invest in Change Management and Training: Technology implementations fail when organizations underinvest in helping people adapt to new tools and processes. Develop role-specific training that demonstrates how the new capability helps users accomplish their actual daily tasks. Create champion networks, host office hours, and celebrate early wins to build momentum across the organization.

• Automate Governance and Compliance Controls: Manual governance does not scale beyond a few dozen users or sites. Implement automated policy enforcement using Power Automate workflows, sensitivity labels, retention policies, and [SharePoint administrative tools](/services/sharepoint-consulting) that ensure consistent compliance without creating bottlenecks or relying on individual user behavior.

• Establish Monitoring, Metrics, and Continuous Improvement: Define key performance indicators before deployment and track them systematically. Monitor adoption rates, user satisfaction, performance metrics, and business outcome improvements. Review these metrics monthly with stakeholders and use them to drive iterative improvements rather than treating the initial deployment as the finished state.

Governance and Compliance Considerations

Governance frameworks must satisfy the compliance requirements specific to your industry while remaining practical enough for daily operation. The most effective governance frameworks are those designed with regulatory compliance as a core requirement rather than an afterthought.

For HIPAA-regulated healthcare organizations, your governance framework must include specific controls for protected health information including access logging, minimum necessary access enforcement, encryption requirements, and business associate agreement tracking for any external sharing. Sensitivity labels should automatically apply encryption to documents containing PHI, and your retention policies must align with HIPAA's six-year minimum retention requirement.

Financial services organizations operating under SOC 2 need governance controls that demonstrate security, availability, processing integrity, confidentiality, and privacy of customer data. Your governance framework should map directly to SOC 2 trust service criteria, with automated evidence collection for audit readiness. SharePoint audit logs, access reviews, and change management records all serve as SOC 2 evidence.

Government agencies and contractors subject to FedRAMP or CMMC must implement governance controls satisfying federal security requirements including FIPS 140-2 compliant encryption, strict access controls based on security clearance levels, and comprehensive audit trails meeting NIST 800-53 control families.

Regardless of your specific regulatory environment, your governance framework should include data classification policies, retention schedules complying with applicable regulations, incident response procedures, and regular compliance assessments verifying controls function as designed. Working with experienced [SharePoint governance consultants](/services/sharepoint-consulting) who understand your regulatory landscape ensures your framework addresses compliance from day one.

Ready to transform your SharePoint environment into a strategic business asset? Our specialists have guided hundreds of enterprises through successful SharePoint implementations across healthcare, financial services, government, and other regulated industries. [Contact our team](/contact) for a comprehensive assessment, and discover how our [SharePoint consulting services](/services/sharepoint-consulting) can deliver the outcomes your organization needs.

Common Challenges and Solutions

Organizations implementing SharePoint consistently encounter obstacles that, if left unaddressed, undermine adoption and erode stakeholder confidence. Drawing on two decades of enterprise SharePoint consulting, these are the challenges we see most frequently and the proven approaches for overcoming them.

Challenge 1: Content Sprawl and Information Architecture Degradation

Over time, SharePoint environments accumulate redundant, outdated, and trivial content that degrades search relevance and confuses users. Without proactive content lifecycle management, the signal-to-noise ratio deteriorates and user trust in the platform erodes. The resolution requires a structured approach: establishing automated retention policies that flag content for review after defined periods of inactivity, combined with content owner accountability structures that assign clear responsibility for each site collection and library. Organizations that address this proactively report 40 to 60 percent fewer support tickets within the first 90 days of deployment. Establishing a dedicated governance committee with representatives from IT, compliance, and business stakeholders ensures ongoing alignment between technical configuration and organizational objectives.

Challenge 2: Compliance and Audit Readiness Gaps

SharePoint implementations in regulated industries often lack the audit trail depth and policy enforcement rigor required by frameworks such as HIPAA, SOC 2, and GDPR. Retroactive compliance remediation is significantly more expensive and disruptive than building compliance into the initial design. We recommend embedding compliance requirements into the information architecture from day one. Configure Microsoft Purview retention labels, DLP policies, and audit logging before deploying content, and validate compliance posture through regular internal audits. Tracking these metrics through [SharePoint health dashboards](/services/sharepoint-consulting) provides early warning indicators that allow administrators to intervene before minor issues become systemic problems affecting enterprise-wide productivity.

Challenge 3: Inconsistent Governance Across Business Units

When different departments implement SharePoint independently, inconsistent naming conventions, metadata schemas, and security configurations create silos that undermine cross-functional collaboration and complicate compliance reporting. The most effective mitigation strategy involves centralizing governance policy definition while allowing controlled flexibility at the departmental level. A hub-and-spoke governance model balances enterprise consistency with departmental autonomy. Enterprises operating in regulated industries such as healthcare and financial services must pay particular attention to this challenge because compliance violations carry significant financial and reputational consequences. Regular audits conducted quarterly at minimum help organizations maintain alignment with evolving regulatory requirements and internal policy updates.

Challenge 4: Migration and Legacy Content Complexity

Organizations transitioning legacy content into SharePoint often underestimate the complexity of mapping old structures, metadata, and permissions to modern architectures. Failed migrations erode user confidence and create parallel systems that duplicate effort. Addressing this requires conducting thorough pre-migration content audits that classify and prioritize content based on business value. Invest in automated migration tools that preserve metadata fidelity and permission integrity while providing detailed validation reports. Organizations that invest in structured change management programs achieve adoption rates 35 percent higher than those relying on organic discovery alone. Executive sponsorship combined with department-level champions creates the organizational momentum necessary for sustained success.

Integration with Microsoft 365 Ecosystem

SharePoint does not operate in isolation. Its value multiplies when connected to the broader Microsoft 365 ecosystem, creating unified workflows that eliminate context switching and reduce manual data transfer between applications.

Microsoft Teams Integration: Configure Teams notifications that alert stakeholders when SharePoint content changes, ensuring that distributed teams stay informed about updates without relying on manual communication workflows. Teams channels automatically provision SharePoint document libraries, which means sharepoint configurations and content flow seamlessly between collaborative conversations and structured document management. Users can surface SharePoint content directly within Teams tabs, reducing the friction that typically causes adoption to stall.

Power Automate Workflows: Create event-driven automations that respond to SharePoint changes in real time, triggering downstream processes such as notifications, data transformations, and cross-system synchronization. Automated workflows triggered by SharePoint events such as document uploads, metadata changes, or approval completions eliminate repetitive manual tasks. Organizations typically automate 15 to 25 processes within the first quarter, saving an average of 8 hours per week per department. These automations also create audit trails that satisfy compliance requirements for regulated industries.

Power BI Analytics: Connect SharePoint list and library data to Power BI datasets for advanced analytics that transform raw operational data into strategic business intelligence accessible to decision makers across the organization. Connecting SharePoint data to Power BI dashboards provides real-time visibility into content usage patterns, adoption metrics, and operational KPIs. Decision makers gain actionable intelligence without requiring manual report generation, enabling faster response to emerging trends and potential issues.

Microsoft Purview and Compliance: Configure data loss prevention policies that monitor SharePoint content for sensitive information patterns, blocking or restricting sharing actions that could violate compliance requirements. Sensitivity labels, data loss prevention policies, and retention schedules configured in Microsoft Purview extend automatically to sharepoint content. This unified compliance framework ensures that governance policies apply consistently across the entire Microsoft 365 environment rather than requiring separate configuration for each workload. For organizations subject to [HIPAA, SOC 2, or FedRAMP requirements](https://www.epcgroup.net/services/compliance-consulting), this integrated approach significantly reduces compliance management overhead.

Getting Started: Next Steps

Implementing SharePoint effectively requires more than technical configuration. It demands a strategic approach grounded in your organization's specific business requirements, compliance obligations, and growth trajectory. The difference between a deployment that delivers measurable ROI and one that becomes shelfware often comes down to the quality of upfront planning and expert guidance.

Begin with a focused assessment of your current SharePoint environment. Evaluate your existing information architecture, permission structures, content lifecycle policies, and user adoption patterns. Identify gaps between your current state and the target state required for successful sharepoint implementation. This assessment typically takes 2 to 4 weeks and produces a prioritized roadmap that aligns technical work with business outcomes.

Our SharePoint specialists have guided organizations across healthcare, financial services, government, and education through hundreds of successful implementations. We bring deep expertise in [SharePoint architecture](/services/sharepoint-consulting), governance frameworks, and compliance alignment that accelerates time to value while minimizing risk.

Ready to move forward? [Contact our team](/contact) for a complimentary consultation. We will assess your environment, identify quick wins, and develop a phased implementation plan tailored to your organization's needs and timeline. Whether you are starting from scratch or optimizing an existing deployment, our enterprise SharePoint consultants deliver the expertise and accountability that Fortune 500 organizations demand.