Is SharePoint HIPAA Compliant?

Is SharePoint HIPAA compliant? Does the platform incorporate all the required administrative and technical controls to meet HIPAA requirements? This post explores whether SharePoint supports HIPAA compliance and its suitability for use in the healthcare industry.

What is SharePoint?

SharePoint is a web-based document management and storage system and one of the leading collaborative platforms on the market, used by 78% of Fortune 500 companies. The platform is based on Microsoft’s OpenXML document standard and therefore integrates seamlessly with Microsoft Office.

SharePoint offers many of the same functions as Google Drive and Dropbox, although SharePoint is a much more powerful platform and can also be used for internet portals, intranet sites and can form the basis of a CRM system.

With such a wide range of functions it is naturally a good fit for healthcare organizations, but is SharePoint HIPAA compliant? Does the platform incorporate all the necessary functions and security controls required by HIPAA?

Is SharePoint Covered by Microsoft’s Business Associate Agreement?

The first question when considering the suitability of a platform for use in healthcare in the United States is whether the platform provider is willing to sign a business associate agreement with a HIPAA covered entity or one of its business associates. Without a BAA, a platform cannot be used in conjunction with any protected health information (PHI).

Microsoft is prepared to sign a business associate agreement with HIPAA covered entities for Office 365 and Yammer, but what about SharePoint?

Microsoft clearly states on its website that SharePoint Online supports HIPAA compliance when used with Office 365 Enterprise, and that its BAA for Office 365 Enterprise does cover SharePoint Online.

Is SharePoint HIPAA Compliant?

Can we consider SharePoint HIPAA compliant? While no software platform can be truly HIPAA compliant, SharePoint does incorporate the necessary administrative and technical safeguards to meet HIPAA Rules and HIPAA covered entities can use the platform in a HIPAA compliant manner.

Microsoft will also ensure that it meets its responsibilities as a business associate, but it is the responsibility of users to ensure that HIPAA Rules are followed and the platform is configured correctly. Covered entities must set access controls for individuals or roles, audit controls must be set, logs must be monitored, appropriate security controls configured, and users must receive training on use of the platform and the restrictions of HIPAA.

Provided a BAA is obtained, the platform is configured and used correctly, SharePoint can be considered a HIPAA compliant document management, document storage, and collaborative platform.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.