The 25-Point SharePoint HIPAA Compliance Checklist
SharePoint Online can absolutely support HIPAA compliance. But "can support" and "is compliant" are very different things. I have audited over 50 healthcare organizations' SharePoint environments, and fewer than 20% pass all 25 of these checks on the first review. The most common finding: the BAA is signed, but the technical controls are not configured.
This checklist is organized in the order you should implement them. Skip nothing.
---
Foundation (Points 1-5)
1. Execute a Business Associate Agreement (BAA) with Microsoft
Priority: CRITICAL — nothing else matters without this
Microsoft will not sign a BAA automatically. You must request it through your Microsoft account team or enable it via the Microsoft 365 Admin Center under Settings > Org Settings > Security & Privacy. Without a BAA, your use of SharePoint Online for any PHI is a HIPAA violation regardless of every other control on this list.
Verification: Admin Center > Settings > Org Settings > Security & Privacy > HIPAA BAA should show "Active."
2. Confirm your Microsoft 365 tenant license tier supports HIPAA controls
Required: Microsoft 365 E3 minimum. E5 recommended for full compliance tooling.
E3 provides: sensitivity labels, basic DLP, standard audit logging, eDiscovery (Standard). E5 adds: advanced eDiscovery, extended audit log retention (1 year vs. 90 days), insider risk management, communication compliance, and auto-classification with trainable classifiers.
Healthcare organizations handling PHI at scale should budget for E5 or the E5 Compliance add-on ($12/user/month).
3. Enable Microsoft Purview sensitivity labels for PHI classification
Create a label taxonomy that identifies PHI explicitly.
Recommended label hierarchy:
- Public — No restrictions
- Internal — Organization-only access
- Confidential — Restricted access, no external sharing
- Highly Confidential - PHI — Encrypted, no external sharing, watermarked, access logged
The PHI label should apply: encryption at rest and in transit, prevent copy/paste to unauthorized apps, prevent printing without authorization, apply a visual marking ("CONFIDENTIAL - PHI"), and trigger automatic audit logging on every access event.
4. Configure Data Loss Prevention (DLP) policies for PHI patterns
DLP must scan SharePoint content for PHI identifiers and block unauthorized sharing.
Create DLP policies that detect:
- Social Security Numbers (SSN)
- Medical Record Numbers (MRN patterns)
- Health Insurance Claim Numbers
- Drug Enforcement Agency (DEA) numbers
- ICD-10 diagnosis codes in context
- Names combined with medical conditions or treatment information
Policy actions should: block external sharing of documents containing PHI, notify the compliance officer, require user justification for overrides, and log all matches for audit purposes.
5. Enable unified audit logging in Microsoft Purview
Every access, modification, sharing event, and permission change must be logged.
Verify in Purview Compliance Center > Audit that unified audit logging is turned ON (it is not enabled by default on all tenants). Configure audit log retention: 90 days minimum (E3 default), 1 year recommended (E5), 10 years available with audit log retention policies.
Critical events to monitor: FileAccessed, FileModified, FileDeleted, SharingSet, SharingRevoked, SensitivityLabelApplied, SensitivityLabelRemoved, DLPRuleMatch.
---
Access Controls (Points 6-12)
6. Implement least-privilege access for all PHI sites
No user should have access to PHI that is not required for their job function. Review every SharePoint site containing PHI and remove all "Everyone" and "Everyone except external users" grants. Replace broad access groups with role-specific security groups mapped to job functions.
7. Disable external sharing on all PHI-containing sites
SharePoint Admin Center > Sites > Select PHI site > Sharing > "Only people in your organization." This is non-negotiable for PHI. If external sharing is needed for specific business partners (e.g., insurance companies), use B2B guest access with MFA required and access reviews enabled.
8. Require Multi-Factor Authentication (MFA) for all users accessing PHI
Configure Conditional Access policies in Microsoft Entra ID (Azure AD) that require MFA for all SharePoint access from any device. For PHI sites specifically, consider requiring compliant devices only (managed by Intune) in addition to MFA.
9. Configure Conditional Access policies for PHI sites
Beyond MFA, configure: block access from unmanaged devices, block access from non-compliant devices, require specific geographic locations (block access from countries where your organization does not operate), session timeout after 30 minutes of inactivity for PHI sites.
10. Enable access reviews for PHI site permissions
Configure quarterly access reviews in Microsoft Entra ID Governance. Site owners must certify that every user with PHI access still requires it. Users whose access is not confirmed within the review period should be automatically removed.
11. Implement information barriers if required by your organization
If your organization has departments that should not share PHI (e.g., a hospital system where competing physician groups must maintain separation), configure information barriers in Microsoft Purview to prevent cross-segment sharing.
12. Disable anonymous sharing links organization-wide
SharePoint Admin Center > Sharing > disable "Anyone" links entirely. For HIPAA environments, even "People in your organization" links should be replaced with direct user/group sharing for PHI content.
---
Content Protection (Points 13-18)
13. Enable versioning and prevent permanent deletion of PHI documents
All PHI document libraries should have: versioning enabled (50+ versions retained), no user ability to permanently delete (admin-only), recycle bin retention set to maximum (93 days site + 93 days site collection). This prevents accidental or malicious PHI destruction.
14. Configure retention policies for PHI content
HIPAA requires covered entities to retain PHI for 6 years from date of creation or last effective date. Configure Microsoft Purview retention labels: "PHI - 6 Year Retention" label that prevents deletion for 6 years, then triggers a disposition review (not automatic deletion).
15. Enable Microsoft Purview eDiscovery holds for litigation readiness
Pre-configure eDiscovery cases and custodian holds for PHI sites so that if a breach occurs or a legal hold is needed, you can freeze all relevant content within minutes, not days.
16. Apply sensitivity labels automatically using trainable classifiers (E5)
If your organization has E5 licensing, train Microsoft Purview classifiers to automatically detect and label PHI content. This catches PHI that users fail to manually classify. Auto-labeling should apply the "Highly Confidential - PHI" label and trigger DLP policy evaluation.
17. Encrypt PHI documents at rest using customer-managed keys (optional, E5)
Microsoft encrypts all SharePoint content at rest by default. For organizations with heightened control requirements, Customer Key allows you to manage your own encryption keys via Azure Key Vault. This gives you the ability to revoke Microsoft's access to your data.
18. Block download of PHI to unmanaged devices
Configure Conditional Access App Control through Microsoft Defender for Cloud Apps to prevent users from downloading PHI documents to personal devices. Allow view-only access from unmanaged devices if needed for clinical workflows.
---
Monitoring and Incident Response (Points 19-22)
19. Configure alerts for PHI access anomalies
Set up Microsoft Defender for Cloud Apps policies that alert on: unusual download volume from PHI sites, access from new geographic locations, access outside business hours, bulk file operations (mass download, mass delete), and failed access attempts.
20. Establish a breach notification workflow
HIPAA requires notification within 60 days of discovering a breach affecting 500+ individuals. Pre-build a SharePoint-based incident response workflow: detection (automated alerts), assessment (compliance officer review), containment (revoke access, apply holds), notification (HHS, affected individuals, media if 500+), and documentation (incident report retained for 6 years).
21. Conduct quarterly PHI access audits
Pull audit logs quarterly and review: who accessed PHI sites, which documents were accessed most frequently, any sharing events involving PHI content, any DLP policy matches and user overrides, and any sensitivity label changes on PHI documents.
22. Test your incident response plan annually
Run a tabletop exercise simulating a PHI breach through SharePoint. Test that your alerts fire, your containment procedures work, your notification workflow executes, and your documentation meets HIPAA requirements.
---
Governance and Training (Points 23-25)
23. Document your SharePoint HIPAA compliance configuration
Maintain a written document (your "SharePoint HIPAA Compliance Manual") that maps every HIPAA requirement to the specific SharePoint configuration that satisfies it. This document is what you hand to auditors. It should include screenshots, policy names, configuration settings, and responsible parties.
24. Train all users with PHI access on SharePoint compliance procedures
Annual training must cover: how to identify PHI, how sensitivity labels work, what happens when DLP blocks sharing, how to report suspected breaches, and what constitutes a HIPAA violation in SharePoint.
25. Assign a SharePoint HIPAA compliance owner
One person (typically the Privacy Officer or CISO) must own the ongoing compliance of your SharePoint environment. This person reviews audit logs, manages access reviews, updates policies when requirements change, and serves as the point of contact for auditors.
---
Frequently Asked Questions
Is SharePoint Online HIPAA compliant out of the box?
No. SharePoint Online supports HIPAA compliance, but it requires extensive configuration. The platform provides the tools — sensitivity labels, DLP, audit logging, encryption, access controls — but you must configure and maintain them. An unconfigured SharePoint Online tenant is not HIPAA compliant.
Which Microsoft 365 license do I need for HIPAA compliance?
E3 minimum, E5 recommended. E3 provides basic sensitivity labels, DLP, and 90-day audit logs. E5 adds auto-classification, 1-year audit retention, advanced eDiscovery, insider risk management, and communication compliance. The E5 Compliance add-on ($12/user/month) is a cost-effective alternative to full E5.
Can I store PHI in SharePoint Online?
Yes, provided you have: (1) an active BAA with Microsoft, (2) sensitivity labels applied to PHI content, (3) DLP policies preventing unauthorized sharing, (4) audit logging enabled, (5) access controls configured on a least-privilege basis, and (6) all other controls on this checklist implemented. GCC and GCC High tenants provide additional isolation for organizations with heightened requirements.
How often should I audit my SharePoint HIPAA compliance?
Quarterly access reviews and audit log reviews are the minimum. Annual comprehensive assessments covering all 25 points on this checklist. Immediate reviews after any security incident, configuration change, or organizational change (mergers, new departments, new clinical systems).
What is the penalty for a HIPAA violation involving SharePoint?
HIPAA penalties range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. Willful neglect violations that are not corrected carry the highest penalties. Criminal penalties can include fines up to $250,000 and imprisonment. Beyond penalties, breach notification to affected individuals and media creates significant reputational damage.
Do I need GCC or GCC High for HIPAA compliance?
Commercial Microsoft 365 with a BAA is sufficient for most healthcare organizations. GCC is required for organizations working with certain government health agencies. GCC High is required for organizations handling CUI (Controlled Unclassified Information) or working under ITAR/EAR. Most hospitals, clinics, and health insurers operate on commercial tenants with a BAA.
Written by Errin O'Connor
Founder, CEO & Chief AI Architect | Microsoft Press Bestselling Author | 25+ Years Microsoft Ecosystem
Errin O'Connor is a Microsoft Press bestselling author of 4 books covering SharePoint, Power BI, Azure, and large-scale migrations. He leads our SharePoint consulting practice with expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments.
Expert SharePoint Services
Need Expert Help?
Our SharePoint consultants are ready to help you implement these strategies in your organization.