Is SharePoint HIPAA compliant?

It may be one of the most popular cloud-based document management services on the market, but is SharePoint HIPAA compliant? 

Developed by Microsoft, SharePoint is based on their OpenXML document standard and integrates with all products in the Microsoft Office Suite. It can also be used as the foundation for a customer management system (CRM), company intranets, and internet portals. These features, amongst others, mean that in a relatively crowded market of cloud-based document sharing and storage solutions, SharePoint comes out on top, with nearly 80% of Fortune 500 companies using it. But can it be used in the healthcare sector in a HIPAA-compliant manner? 

One of the key HIPAA requirements for a product such as SharePoint is a business associates agreement (BAA). When a covered entity (CE; that is, a healthcare provider, healthcare clearinghouse, or health plan that is subject to HIPAA) wishes to use the services of a third party, they must enter into a BAA with that party. This BAA will stipulate a number of requirements, such as:

  • How the PHI will be used once handed over to the BA.
  • What safeguards are needed to ensure PHI is adequately protected.
  • What procedures should be followed in case of a HIPAA violation. 
  • How the BA will dispose of the data upon termination of the BAA. 

As Microsoft owns SharePoint, the CE interested in using the platform will have to enter into a BAA with Microsoft. On its website, Microsoft states: 

“Microsoft offers its covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services.” 

SharePoint is included in these services, meaning that it can be used under the terms of the BAA.

However, the BAA is just one aspect of HIPAA compliance. The HIPAA Security Rule stipulates the minimum technical, administrative, and physical safeguards required to maintain the integrity of PHI. Though the exact definitions of these safeguards are vague, Microsoft enables a number of security features that would be deemed necessary to adhere to the Security Rule. This includes two-factor authentication, the ability for CEs to alter access controls, and 256-bit encryption.

Though Microsoft’s SharePoint has the potential to be used in a HIPAA-compliant manner, it is ultimately the responsibility of the CE to ensure that it is being used correctly. They must enter into the BAA with Microsoft, and ensure that SharePoint is correctly configured for HIPAA-compliant use. Nevertheless, SharePoint is considered HIPAA compliant.