HIPAA-Compliant SharePoint: Governance for Healthcare Organizations

Why SharePoint Governance Matters for HIPAA Compliance

Healthcare organizations increasingly rely on SharePoint as their primary document management and collaboration platform. Patient records, insurance claims, clinical research data, and internal communications all flow through SharePoint sites, libraries, and lists. Without a structured governance framework aligned to HIPAA requirements, organizations risk unauthorized PHI disclosure, regulatory penalties up to $2.13 million per violation category, and loss of patient trust.

The challenge is that SharePoint Online is HIPAA-capable but not HIPAA-compliant by default. Microsoft provides the platform and signs a Business Associate Agreement (BAA), but the responsibility for configuring security controls, access policies, and monitoring falls on the healthcare organization. This shared responsibility model means IT teams must implement dozens of specific configurations to achieve compliance.

At EPC Group, we have implemented HIPAA-aligned SharePoint governance for community health systems, multi-hospital networks, specialty clinics, and health insurance providers. Our approach addresses the five critical pillars: PHI classification, data loss prevention, access control, audit logging, and Teams compliance for telehealth.

Pillar 1: PHI Classification with Microsoft Purview Sensitivity Labels

The foundation of HIPAA-compliant SharePoint is accurate classification of protected health information. Microsoft Purview Information Protection provides sensitivity labels that classify, protect, and govern PHI throughout its lifecycle.

Sensitivity Label Taxonomy for Healthcare

Healthcare organizations should implement a label taxonomy that reflects their data classification policy. A proven four-tier approach includes:

Auto-Labeling Configuration

Manual labeling alone is insufficient for HIPAA compliance because users inevitably forget or misclassify documents. Auto-labeling policies use sensitive information types (SITs) to detect PHI patterns and automatically apply the appropriate sensitivity label. Key SITs for healthcare include:

• U.S. Social Security Number (SSN): Combined with medical terms to distinguish healthcare context from HR/financial use
• Medical Record Number (MRN): Custom SIT using regex patterns matching your organization's MRN format
• ICD-10 Diagnosis Codes: Custom SIT matching the ICD-10-CM code pattern (letter followed by 2-7 characters)
• Drug Enforcement Agency (DEA) Numbers: Identifies prescriber information in controlled substance documentation
• Health Insurance Claim Numbers: Detects Medicare/Medicaid beneficiary identifiers

Auto-labeling policies should run in simulation mode for 7-14 days before enforcement to validate accuracy and minimize false positives that disrupt clinical workflows.

Pillar 2: Data Loss Prevention (DLP) Policies for Healthcare

DLP policies prevent unauthorized sharing of PHI across SharePoint, OneDrive, Teams, Exchange, and endpoints. Healthcare organizations need layered DLP policies that address different risk scenarios.

Essential DLP Policy Set

DLP Policy Tips and User Education

Effective DLP requires user cooperation. Policy tips display real-time warnings when users attempt actions that violate DLP rules, explaining the restriction and providing compliant alternatives. For healthcare organizations, policy tips should reference specific HIPAA requirements to reinforce compliance culture. Tips should be clear, actionable, and non-punitive to maintain clinical workflow efficiency.

Pillar 3: Conditional Access and Zero Trust for Healthcare

Microsoft 365 conditional access policies enforce HIPAA's access control requirements by evaluating user identity, device compliance, location, and risk level before granting access to PHI.

Required Conditional Access Policies

• MFA for all PHI access: Require multi-factor authentication for any session accessing SharePoint sites containing PHI-labeled content. Use phishing-resistant methods (FIDO2 keys, Windows Hello) for clinical workstations.
• Compliant device requirement: Require Intune-enrolled, compliant devices for full access to PHI sites. Block or limit access from non-compliant devices to browser-only with no download capability.
• Named location restrictions: Restrict PHI access to approved networks (hospital campus, VPN, approved home office IPs). Block access from high-risk countries entirely.
• Session controls: Enforce 8-hour session limits for PHI access with re-authentication. Implement 15-minute idle timeout for clinical workstations in shared spaces (nurse stations, exam rooms).
• Risk-based access: Integrate Microsoft Entra ID Protection sign-in risk signals. Block high-risk sign-ins immediately and require password change plus MFA for medium-risk.

Device Management for Clinical Environments

Healthcare environments present unique device management challenges. Shared clinical workstations, mobile devices used during rounds, and kiosk-mode tablets in patient rooms all need specific Intune policies. EPC Group configures device compliance policies that balance security with clinical workflow requirements, including automatic sign-out on shared devices, app protection policies for mobile clinical apps, and conditional access exceptions for approved medical devices.

Pillar 4: Audit Logging and HIPAA-Required Monitoring

HIPAA requires healthcare organizations to implement audit controls that record and examine activity in systems containing PHI. SharePoint's native audit capabilities, enhanced by Microsoft Purview Audit (Premium), provide the foundation for compliance.

Audit Configuration Requirements

• 365-day log retention: HIPAA requires six-year document retention, but audit logs must be retained for a minimum of one year with Microsoft Purview Audit (Premium). Export logs to Azure Sentinel or a SIEM for long-term archival beyond one year.
• Custom audit policies: Create targeted audit policies for PHI-labeled SharePoint sites that capture file access, modification, deletion, sharing, download, and permission changes.
• MailItemsAccessed logging: For Exchange-based PHI (referral letters, lab results sent via email), enable MailItemsAccessed auditing to track every email open event.
• Alert policies: Configure real-time alerts for suspicious PHI access patterns including off-hours access, bulk downloads, access from new devices/locations, and permission elevation attempts.
• Regular audit reviews: Establish weekly automated audit reports for PHI access, with quarterly human review by the compliance team and annual review by external auditors.

Breach Detection and Response

HIPAA's Breach Notification Rule requires notification within 60 days of discovering a breach affecting 500 or more individuals. SharePoint audit logs and DLP incident reports provide the forensic data needed to determine breach scope, affected records, and timeline. EPC Group implements automated breach detection workflows using Microsoft Sentinel playbooks that correlate audit events, DLP incidents, and Defender alerts to identify potential breaches in near real-time.

Pillar 5: Teams Compliance for Telehealth

Microsoft Teams has become the primary telehealth platform for many healthcare organizations. HIPAA compliance for Teams requires specific governance controls beyond standard enterprise Teams deployment.

• Compliance recording: Enable policy-based compliance recording for telehealth appointments using certified recording partners. Recordings must be stored in HIPAA-compliant storage with PHI sensitivity labels applied automatically.
• Meeting policies: Restrict who can record meetings, disable transcription unless clinically required, prevent lobby bypass for external patients, enforce meeting end times to prevent accidental PHI disclosure in back-to-back appointments.
• Information barriers: Prevent communication between departments that should not share PHI (e.g., marketing and clinical departments). Information barriers block Teams chat, calling, and meeting invitations between barriered segments.
• Guest access governance: External specialists and consulting physicians need Teams access for care coordination. Configure guest access with time-limited sessions, restricted to specific Teams and channels, with full audit logging of all guest activities.
• Chat retention and eDiscovery: Apply retention policies to Teams chat containing PHI. Configure eDiscovery holds for litigation and regulatory investigations. Ensure chat data is searchable and exportable for compliance requests.

Business Associate Agreement (BAA) Documentation

A signed BAA with Microsoft is a prerequisite for using SharePoint, Teams, or any Microsoft 365 service to store or process PHI. The Microsoft BAA covers eligible services when accessed through qualifying license plans (E3/E5, G3/G5).

• BAA acceptance: Accepted through the Microsoft 365 admin center under Settings, Org Settings, Security & Privacy. The organization's global admin must formally accept the BAA.
• Covered services: SharePoint Online, OneDrive for Business, Exchange Online, Microsoft Teams, Azure Active Directory (Entra ID), Microsoft Purview, and Microsoft Defender are all covered under the BAA.
• Third-party add-ins: Any third-party SharePoint apps, Teams apps, or Power Platform connectors that process PHI require separate BAAs with those vendors. Evaluate every marketplace app before deployment.
• Subprocessor management: Microsoft maintains a list of subprocessors. Healthcare organizations should review this list quarterly and assess subprocessor compliance with organizational security requirements.

Implementation Roadmap: 90-Day HIPAA Governance Sprint

Healthcare organizations can achieve HIPAA-aligned SharePoint governance in 90 days with a structured approach. EPC Group's proven methodology follows this timeline:

1. Weeks 1-2: Assessment and Discovery — Inventory all SharePoint sites containing PHI, document current sharing and access patterns, identify governance gaps against HIPAA requirements, review existing BAA coverage.
2. Weeks 3-4: Sensitivity Labels and Classification — Design label taxonomy, configure sensitive information types for PHI, deploy auto-labeling policies in simulation mode, train compliance team on label management.
3. Weeks 5-6: DLP Policy Deployment — Implement DLP policies in test mode, validate against clinical workflows, tune rules to minimize false positives, deploy policy tips for user education.
4. Weeks 7-8: Conditional Access and Device Management — Deploy conditional access policies, configure Intune device compliance, implement session controls for clinical workstations, test clinical workflow impact.
5. Weeks 9-10: Audit and Monitoring — Enable Purview Audit Premium, configure custom audit policies, deploy alert rules, set up audit review workflows and dashboards.
6. Weeks 11-12: Teams Compliance and Validation — Configure telehealth governance controls, deploy information barriers, conduct end-to-end compliance testing, document all configurations for audit readiness.

Partner with EPC Group for Healthcare SharePoint Governance

EPC Group has implemented HIPAA-compliant SharePoint governance for healthcare organizations ranging from community health alliances to multi-state hospital networks. Our SharePoint consulting team combines deep Microsoft 365 expertise with healthcare compliance knowledge to deliver governance frameworks that protect PHI without disrupting clinical workflows. As author of multiple Microsoft Press books on SharePoint governance, Errin O'Connor brings unmatched expertise to every healthcare engagement.

Whether you need a comprehensive HIPAA governance assessment, specific Microsoft 365 compliance configurations, or ongoing governance management, EPC Group delivers enterprise-grade solutions for healthcare organizations of every size.