# SharePoint HIPAA Compliance Guide: Configuring Microsoft 365 for Healthcare
Healthcare organizations using Microsoft 365 and SharePoint Online must meet HIPAA requirements for protecting Protected Health Information (PHI). SharePoint is technically capable of HIPAA compliance — but only when configured correctly.
This guide covers every step required to deploy SharePoint in a HIPAA-compliant manner for covered entities and business associates.
---
Is SharePoint Online HIPAA Compliant?
SharePoint Online itself is not inherently HIPAA compliant or non-compliant — it depends entirely on how it is configured and how your organization uses it. Microsoft provides the platform capabilities and signs a Business Associate Agreement (BAA). Your organization must implement appropriate administrative, physical, and technical safeguards.
Microsoft's HIPAA commitments:
- Microsoft signs a Business Associate Agreement (BAA) for Microsoft 365 and Azure
- Microsoft 365 datacenter infrastructure meets HIPAA physical safeguards
- Microsoft 365 supports the technical safeguards required by HIPAA
Your organization's responsibilities:
- Configure appropriate access controls
- Enable and maintain audit logging
- Implement encryption for data at rest and in transit
- Establish workforce training and policies
- Execute BAAs with all business associates who access PHI through your environment
---
Step 1: Execute the Microsoft Business Associate Agreement
Before storing any PHI in Microsoft 365:
- Go to Microsoft 365 Admin Center → Billing → Your products
- Navigate to the Privacy & Compliance section
- Review and accept the Microsoft Business Associate Agreement (BAA)
- Document the BAA execution date for your compliance records
The Microsoft BAA covers Microsoft 365, Azure, and associated services. It is updated when Microsoft adds new services — verify that all services you use are covered.
---
Step 2: Configure Access Controls (HIPAA Technical Safeguard §164.312(a))
Unique User Authentication
- Every user accessing PHI must have a unique account — no shared logins
- Configure Azure AD to enforce unique usernames across your organization
- Disable or remove any shared service accounts that access PHI
Multi-Factor Authentication
HIPAA requires "automatic logoff" and recommends strong authentication. MFA is effectively required:
```
Azure AD Conditional Access Policy for PHI Access:
- Users: All users
- Cloud apps: SharePoint Online
- Conditions: (optional) require compliant device
- Grant: Require multi-factor authentication
- Session: Sign-in frequency — 4 hours (re-authenticate regularly)
```
Emergency Access Accounts
Create 2 emergency access accounts (break-glass) stored securely for emergency admin access when MFA systems fail. These accounts must be monitored and tested quarterly.
Role-Based Access Control for PHI
Create specific SharePoint permission groups for PHI access:
| Group | Permission | Members |
|-------|-----------|---------|
| PHI-Owners | Site Owner | Site admins only (2 max) |
| PHI-Clinical | Edit | Clinical staff requiring PHI access |
| PHI-Billing | Read | Billing staff (billing records only) |
| PHI-Admin | Read | Administrative staff (limited PHI) |
| PHI-Audit | Read | Compliance/audit team |
Never use "Everyone" or "All Licensed Users" groups for PHI content.
---
Step 3: Configure PHI-Specific SharePoint Libraries
Separate PHI from Non-PHI Content
Create dedicated site collections for PHI content, isolated from general business content:
```
Recommended structure:
/sites/ClinicalRecords (PHI)
├── Patient Records (PHI - restricted)
├── Clinical Protocols (PHI - restricted)
└── De-identified Research Data (non-PHI)
/sites/HospitalIntranet (non-PHI)
├── HR Policies
├── IT Help Desk
└── General Announcements
```
External Sharing for PHI Libraries
Disable external sharing completely for PHI site collections:
- SharePoint Admin Center → Active Sites → [PHI site] → Policies → External sharing
- Set to: Only people in your organization
- Verify the setting is not overrideable by site owners (configure at tenant level to block)
Version History
HIPAA requires maintaining PHI integrity and tracking changes:
- Enable version history on all PHI document libraries
- Minimum: 50 versions retained
- Never auto-delete versions of PHI records (retention policies manage lifecycle)
---
Step 4: Encryption Configuration (HIPAA Technical Safeguard §164.312(a)(2)(iv))
Data in Transit
SharePoint Online uses TLS 1.2/1.3 for all data in transit — this is automatic and meets HIPAA requirements. No additional configuration required.
Data at Rest
SharePoint Online encrypts data at rest using AES-256 by default via Microsoft-managed keys. This meets HIPAA requirements.
For higher security (enhanced control over encryption keys):
Microsoft Purview Customer Key allows you to supply your own encryption keys:
- Requires E5 compliance add-on or Microsoft Purview add-on license
- Gives you control over encryption keys — Microsoft cannot decrypt your data without your key
- Recommended for large healthcare organizations with strict data sovereignty requirements
Sensitivity Labels with Encryption
Apply sensitivity labels with Rights Management encryption to PHI documents:
```
Label: "PHI - Restricted"
- Encryption: Yes (Azure Rights Management)
- Assign permissions: Clinical Staff group — View, Edit, Print
- Content expiry: None (PHI records retained per retention schedule)
- Auto-labeling: Keywords "patient", "DOB", "diagnosis", "MRN", "SSN"
```
---
Step 5: Audit Controls (HIPAA Technical Safeguard §164.312(b))
HIPAA requires audit controls that record and examine activity in systems containing PHI.
Enable Microsoft Purview Audit
- Go to Microsoft Purview Compliance Portal → Audit
- Verify audit is enabled (or enable it if not)
- Configure audit retention:
- Standard: 90 days (insufficient for HIPAA)
- Recommended: 1 year (requires Microsoft 365 E3 or Purview add-on)
- Best practice: 6 years (HIPAA requires records be retained 6 years from creation or last effect)
Required Audit Events for HIPAA
Configure alerts for these high-risk events:
| Event | Why | Alert To |
|-------|-----|---------|
| PHI document downloaded | Potential exfiltration | CISO, Compliance |
| Bulk download (50+ files) | Potential breach | CISO, Compliance |
| External sharing enabled on PHI site | Policy violation | Compliance |
| Permissions changed on PHI library | Unauthorized access change | IT Security |
| Failed login attempts (5+) | Credential attack | IT Security |
| New admin account created | Privilege escalation | CISO |
Monthly Audit Review
Assign a compliance officer to review PHI access logs monthly:
- Review: All PHI file access events
- Review: Any downloads by users not in primary clinical role
- Review: All external sharing activity (should be zero for PHI sites)
- Document review completion for HIPAA compliance records
---
Step 6: PHI Retention and Disposal (HIPAA §164.316(b)(2))
Retention Requirements
HIPAA requires covered entities to retain PHI for at least 6 years from the date of creation or the date it was last in effect (whichever is later). Individual states may have longer requirements (e.g., California requires 7-10 years for medical records).
Configure Microsoft Purview Retention Policies:
```
Policy: "PHI Records Retention"
- Scope: PHI site collections
- Retain content for: 7 years (federal + state buffer)
- After retention period: Trigger review (do not auto-delete PHI)
- Apply to: SharePoint sites, OneDrive
```
PHI Disposal
When PHI records reach end of retention:
- Legal review: Verify no litigation hold or active investigation
- Compliance review: Confirm state requirements met
- Documented approval: Compliance officer sign-off required
- Microsoft Purview disposal review: Use disposition workflow
- Audit trail: Record disposal in compliance log
Never use recycle bin deletion for PHI disposal — recycle bin content is recoverable. Use Microsoft Purview disposition review for documented, policy-driven disposal.
---
Step 7: Business Associate Management
All vendors who access your PHI through SharePoint must have executed BAAs with you:
- Microsoft: BAA executed through M365 Admin Center (Step 1)
- Third-party SharePoint apps/connectors: Each vendor must provide their BAA
- Consulting firms accessing PHI data: Including SharePoint administrators
- Cloud backup providers: Any service that backs up your M365 data
Maintain a BAA inventory in SharePoint (in a non-PHI compliance site) tracking:
- Vendor name
- BAA execution date
- BAA expiration date
- Services covered
- Contact for renewal
---
HIPAA Compliance Checklist for SharePoint
- [ ] Microsoft BAA executed and documented
- [ ] MFA enforced for all PHI access via Conditional Access
- [ ] Unique user accounts for all PHI access (no shared logins)
- [ ] PHI content in dedicated site collections
- [ ] External sharing disabled on PHI sites
- [ ] Sensitivity labels with encryption on PHI document libraries
- [ ] Auto-labeling configured for common PHI identifiers (MRN, DOB, SSN)
- [ ] Version history enabled on PHI libraries (50+ versions)
- [ ] Audit logging enabled with 7-year retention
- [ ] Audit alerts configured for high-risk events
- [ ] Monthly audit log review assigned and documented
- [ ] Retention policies configured (7 years minimum)
- [ ] Disposition review workflow configured (no auto-delete of PHI)
- [ ] BAA inventory current and complete
- [ ] Annual HIPAA risk assessment includes SharePoint environment
- [ ] Workforce training on PHI handling in SharePoint
---
Common HIPAA Compliance Gaps in SharePoint Environments
Gap 1: PHI mixed with general business content
Many organizations store clinical documents in general SharePoint team sites alongside non-PHI content. This complicates access controls, audit trails, and retention enforcement.
Gap 2: Insufficient audit retention
Default 90-day audit retention is inadequate for HIPAA's 6-year requirement. Organizations must extend audit retention through Microsoft Purview.
Gap 3: No sensitivity labels on PHI
Without sensitivity labels, documents can be downloaded, forwarded, and shared without restriction. Labels with RMS encryption prevent unauthorized access even if files leave SharePoint.
Gap 4: External sharing not disabled
Some healthcare organizations enable guest access for legitimate purposes (patient portal, vendor access) without properly isolating this from PHI content.
Gap 5: No retention policy on SharePoint
Many organizations apply retention policies to email but not SharePoint, leaving PHI documents subject to user deletion.
---
Need Help with Your Healthcare SharePoint Configuration?
HIPAA compliance for SharePoint requires deep expertise in both Microsoft 365 configuration and HIPAA regulatory requirements. Our team has configured SharePoint for dozens of hospitals, health systems, clinics, and healthcare insurers.
[Schedule a free HIPAA readiness assessment →](/industries/healthcare)
Or explore our [SharePoint Compliance Services](/services/sharepoint-consulting) for comprehensive healthcare IT support.
Written by Errin O'Connor
Founder, CEO & Chief AI Architect | Microsoft Press Bestselling Author | 25+ Years Microsoft Ecosystem
Errin O'Connor is a Microsoft Press bestselling author of 4 books covering SharePoint, Power BI, Azure, and large-scale migrations. He leads our SharePoint consulting practice with expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments.
Expert SharePoint Services
Need Expert Help?
Our SharePoint consultants are ready to help you implement these strategies in your organization.