Is SharePoint HIPAA Compliant?
SharePoint is HIPAA compliant and can be used to maintain and share PHI when used as part of an Office 365 or Microsoft 365 Enterprise plan that supports HIPAA compliance, if the online storage service is configured to comply with the HIPAA access control requirements, and a Business Associate Agreement is entered into with Microsoft. This post explains more about what is necessary to make SharePoint HIPAA compliant and suitable for use in the healthcare industry.
What is SharePoint?
SharePoint is a web-based document management and storage system and one of the leading collaborative platforms on the market, used by 78% of Fortune 500 companies. The platform is based on Microsoft’s OpenXML document standard and therefore integrates seamlessly with Microsoft Office.
SharePoint offers many of the same functions as Google Drive and Dropbox, although SharePoint is a much more powerful platform and can also be used for internet portals, intranet sites, and can form the basis of a CRM system.
With such a wide range of functions it is naturally a good fit for healthcare organizations, but is SharePoint HIPAA compliant? Does the platform incorporate all the necessary functions and security controls required by HIPAA?
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Is SharePoint Covered by Microsoft’s Business Associate Agreement?
The first question when considering the suitability of a platform for use in healthcare in the United States is whether the platform provider is willing to sign a business associate agreement with a HIPAA covered entity or one of its business associates. Without a BAA, a platform cannot be used in conjunction with any protected health information (PHI).
Microsoft is prepared to sign a business associate agreement with HIPAA covered entities for Office 365 and Yammer, but what about SharePoint? Microsoft clearly states on its website that SharePoint Online supports HIPAA compliance when used with a Office 365 Enterprise or Microsoft 365 Enterprise plan, and that its BAA for these plans covers SharePoint Online.
Is SharePoint HIPAA Compliant?
Can we consider SharePoint HIPAA compliant? While no software platform can be truly HIPAA compliant, SharePoint does incorporate the necessary administrative and technical safeguards to meet HIPAA Rules and HIPAA covered entities can use the platform in a HIPAA compliant manner.
Microsoft will also ensure that it meets its responsibilities as a business associate, but it is the responsibility of users to ensure that HIPAA Rules are followed and the platform is configured correctly. Covered entities must set access controls for individuals or roles, audit controls must be set, logs must be monitored, appropriate security controls configured, and users must receive training on use of the platform and the restrictions of HIPAA.
Provided a BAA is obtained, the platform is configured and used correctly, SharePoint can be considered a HIPAA compliant document management, document storage, and collaborative platform.
