Is SharePoint HIPAA Compliant?

Healthcare organizations are now embracing digital transformation to take advantage of new technologies and tools. However, transitioning from the present level of technology to the desired level can be complicated and challenging. Failure to maximize the benefits of a digital change can result in decreased efficiency and ROI, and misusing a tool can lead to regulatory violations, including HIPAA violations. Therefore, medical organizations should carefully assess their digital transformation and avoid any potential threats to their business.

Microsoft 365 and SharePoint in the Healthcare Setting

In the midst of digital innovation and regulatory concerns, healthcare organizations are curious about the potential of using Microsoft 365 tools. While many have already made the switch or are planning to, there are questions surrounding whether the cloud-based productivity suite is HIPAA compliant. Specifically, healthcare organizations want to know if SharePoint and the broader Microsoft 365 package are suitable for moving electronic health records and other sensitive information. Unfortunately, Microsoft has not provided a clear answer and cannot guarantee compliance based on user behavior. To ensure HIPAA compliance, healthcare organizations must implement technical safeguards. Our team can assist you with this, but first, let’s address some FAQs regarding this transition.

Is Microsoft 365 HIPAA compliant?

This is an important question, but it might not be the right question to ask. It’s a little bit like looking at a car and asking whether the car is “speed limit compliant” — unless you’re actually asking whether a car has been somehow programmed to never be capable of exceeding the speed limit, then there’s no such thing as a “speed limit compliant” car. Whether the car operates at the speed limit is entirely up to the driver.

Now, that’s not to say you shouldn’t ever ask questions about the quality of a car — or the quality of a software platform. A shoddily made car might have an accelerator that sticks, creating significant and unnecessary risk. And shoddily made software or digital services could do the same thing with sensitive medical data.

Microsoft 365 is well-made software, to be sure. But it’s nearly as unrealistic to expect Microsoft to be able to stop any and all instances of data misuse as it would be to expect car manufacturers to “lock” cars to the speed limit. The same rules and filters that might prevent a HIPAA violation in a healthcare setting would interfere with normal, ethical use cases in other industries.

Given all this, it’s no surprise that Microsoft isn’t totally clear on whether its products are HIPAA compliant. Can they be used in HIPAA-compliant ways? Yes. But can Microsoft guarantee them as HIPAA compliant? Not without outside help.

Is SharePoint HIPAA compliant?

Many people wonder if SharePoint is HIPAA compliant, but this question is not quite accurate. The more important question is how an organization uses SharePoint, especially if they plan to share files and documents that contain personally identifying information. While SharePoint can be used in HIPAA-compliant ways, the system does not prevent users from violating HIPAA regulations. Just like a car doesn’t prevent drivers from speeding, organizations must put specific technical safeguards in place to ensure HIPAA compliance. To learn more about these safeguards, we need to examine different aspects of HIPAA and how to comply with it.

What are the core compliance areas to be HIPAA compliant?

HIPAA compliance breaks down into three core compliance areas:

  • Technical compliance
  • Administrative compliance
  • Physical compliance

Technical compliance deals with the technological systems that interface with patient data that qualifies as PII. Access control, data integrity, authentication of users, and secure transmission of files all fall under this category.

Administrative compliance refers to the policies and procedures that organizations put in place to protect data and data access. Hospital policies about what can and can’t be shared verbally in public areas, rules about passwords and authentication, and any other administrative decisions touching on privacy fall into this category.

Physical compliance deals with the real world: are physical records kept in a location not accessible to the general public? Are on-premises servers and endpoints secure, either by physical barrier (such as a locked server room) or by high-quality access control (badges, passwords, biometrics, etc. for computer access)?

As we look at the question of using Microsoft 365 and SharePoint in a medical setting, all three compliance areas matter. The technical underpinnings of Microsoft 365 come into play, as do the administrative policies an organization sets up around the use of SharePoint. Physical compliance matters as well, though this has less to do with which software or platforms you’re using and more to do with how you physically set up your equipment.

What are the technical safeguards of HIPAA?

HIPAA rules require that organizations maintain “reasonable and appropriate” safeguards in all three of the major compliance areas. Generally, safeguards are reasonable and appropriate if they protect EHR from “reasonably anticipated” threats or disclosures, but HIPAA does not specify or define what these safeguards must look like.

On the technical side, HIPAA describes three types of technical safeguards:

  • Access control
  • Safeguards on data in motion
  • Safeguards on data at rest

Access control

Access control is straightforward enough in concept: only those who have been granted access should be able to access data. So a completely open cloud workspace (like a simple Google Workspace) clearly fails this, while a legacy rights-managed folder-based network generally has the appropriate technical safeguards.

Microsoft 365 and SharePoint can certainly be set up as environments using appropriate access control. So on this point, the products are reasonably HIPAA-compliant.

Data in Motion

Data in motion (and data in use) can be harder to protect (or at least to prove protection of). These terms describe when data is in transit between systems, or is actively being used by a system (or human operator).

Typical safeguards on data in motion include data encryption, access control (on systems and on specific data), and using metadata or anonymized data for research and analytics rather than raw data.

Data at rest

Data at rest is data that’s sitting on a server somewhere — either your on-premises server or a cloud server belonging to a provider like Microsoft. This data isn’t being used, but your organization needs to maintain it in case it’s needed later on.

Data at rest safeguards include encryption and access control once again. Physical access control usually comes into play here as well: an unguarded server in an unlocked room may be a HIPAA violation if it gets breached. The argument could be made that the organization didn’t implement “reasonable and appropriate” safeguards — in this case, locks and access control.

How does an IT provider assist in technical HIPAA compliance?

If you’re using Microsoft 365 or SharePoint and need to stay compliant, it’s important to consider some technical aspects. That’s where we come in. We help healthcare clients design and implement the necessary technical safeguards as per HIPAA regulations. Our goal is to create an environment where healthcare professionals and support staff can focus on their work without worrying about technology compliance. As a reliable IT provider, we offer cybersecurity layers, risk assessments, and ongoing auditing to ensure our clients remain HIPAA compliant.

Is a BAA needed with Microsoft?

To comply with HIPAA regulations, healthcare organizations that handle protected health information (PHI) must establish a business associate agreement (BAA) with any business associate. Microsoft offers to enter into BAAs with its customers who are either covered entities or business associates. However, it is important to note that the BAA alone does not guarantee compliance with HIPAA or HITECH. Your company’s compliance program and internal processes are crucial for meeting HIPAA requirements. Microsoft emphasizes that your use of their services must align with your obligations under HIPAA. To establish a BAA with Microsoft, you need to contact them directly or through your IT provider.

Microsoft 365 and SharePoint HIPAA Compliance Is Complex. We Can Help.

It’s important to know that Microsoft 365 and SharePoint can be made HIPAA-compliant, but it’s up to your organization to ensure that compliance is met. The process can be complex, but our IT and cybersecurity team is experienced in implementing technical safeguards and policies to achieve compliance for these apps and services. If you’re ready to move to the cloud and relieve yourself of compliance concerns, get in touch with us. We can assist you in transitioning from your current position to your desired destination.