SharePoint supports HIPAA compliance for maintaining and sharing Protected Health Information when it is used as part of an Office 365 or Microsoft 365 Enterprise plan that supports HIPAA compliance, a Business Associate Agreement is in place with Microsoft, and the service is configured and used to meet HIPAA access control and monitoring requirements. SharePoint cannot be used with Protected Health Information when there is no Business Associate Agreement covering the SharePoint Online service.
SharePoint is a web-based document management and storage platform that supports collaboration and integrates with Microsoft Office. The platform can also be used to support web portals, intranet sites, and customer relationship management style workflows. These features can create multiple paths for Protected Health Information to be created, stored, accessed, shared, or exported, which expands the scope of configuration and workforce controls needed for compliant use.
Use of SharePoint with Protected Health Information depends on Microsoft’s willingness to execute a Business Associate Agreement and the scope of services covered. Microsoft’s Business Associate Agreement for Office 365 Enterprise and Microsoft 365 Enterprise plans covers SharePoint Online when used under those plans. A healthcare organization needs to confirm that its licensing aligns with the Enterprise plan requirements that support HIPAA compliance before storing or sharing Protected Health Information in SharePoint.
SharePoint includes administrative and technical safeguards that can support compliance with applicable HIPAA requirements, but compliant use depends on how the organization configures and operates the platform. Microsoft has responsibilities as a business associate under the Business Associate Agreement, and the covered entity or business associate using SharePoint has responsibility for governance, access management, and user activity oversight. Configuration and operational controls determine whether Protected Health Information is accessible only to authorized users and whether activity affecting Protected Health Information is recorded and reviewed.
Access controls need to be set for individuals or roles so users have access aligned to job function. Audit controls need to be enabled so access and activity related to Protected Health Information are logged. Logs need to be monitored so inappropriate access patterns and misconfigurations are identified and corrected. Security controls that support authorized access and reduce inappropriate disclosure need to be configured consistently with internal policies and procedures.
Workforce training is required to support compliant use of SharePoint once technical controls are in place. Training needs to cover permitted uses and disclosures under the HIPAA Privacy Rule, handling practices that reduce accidental disclosure, and operational limitations created by the organization’s access and auditing configuration. Training also needs to address the restrictions imposed by HIPAA policies when collaborating on documents and when using SharePoint features that enable sharing across users and groups.