HIPAA-Compliant SharePoint: Governance for Healthcare Organizations
Healthcare organizations managing protected health information (PHI) must follow strict HIPAA requirements. This necessitates specialized SharePoint governance.
This guide includes essential controls to ensure SharePoint is HIPAA-compliant for:
- Clinical workflows
- Administrative workflows
- Research workflows
Key features discussed include Purview sensitivity labels, DLP policies, and conditional access.
Why SharePoint Governance Matters for HIPAA Compliance
Healthcare organizations increasingly rely on SharePoint as their primary document management and collaboration platform. Patient records, insurance claims, clinical research data, and internal communications all flow through SharePoint sites, libraries, and lists. Without a structured governance framework aligned to HIPAA requirements, organizations risk unauthorized PHI disclosure, regulatory penalties up to $2.13 million per violation category, and loss of patient trust.
SharePoint Online can support HIPAA, but it is not HIPAA-compliant by default. Microsoft provides the platform and signs a Business Associate Agreement (BAA). However, the healthcare organization must:
- Implement necessary security measures.
- Ensure proper training for staff.
- Maintain compliance with all relevant regulations.
- Configure security controls
- Establish access policies
- Monitor compliance
This shared responsibility model requires IT teams to:
- Implement specific security controls
- Establish access policies
- Monitor compliance regularly
At EPC Group, we have implemented HIPAA-aligned SharePoint governance for community health systems, multi-hospital networks, specialty clinics, and health insurance providers. Our approach addresses the five critical pillars: PHI classification, data loss prevention, access control, audit logging, and Teams compliance for telehealth.
Pillar 1: PHI Classification with Microsoft Purview Sensitivity Labels
The foundation of HIPAA-compliant SharePoint is accurate classification of protected health information. Microsoft Purview Information Protection provides sensitivity labels that classify, protect, and govern PHI throughout its lifecycle.
Sensitivity Label Taxonomy for Healthcare
Healthcare organizations should implement a label taxonomy that reflects their data classification policy. A proven four-tier approach includes:
Highly Confidential - PHI
Patient records include diagnosis codes, treatment plans, lab results, and insurance claims. To protect this sensitive information, we implement several security measures:
- Applies AES-256 encryption
- Restricts access to authorized clinical staff
- Prevents external sharing
- Adds watermarks
- Enforces co-authoring restrictions
These measures are automatically applied when content matches PHI patterns, such as ICD-10 codes, MRNs, and SSNs combined with medical terms.
Confidential - Internal Healthcare
De-identified research data, operational reports, and staffing schedules with patient load data are crucial for our operations. We use encryption to protect this information and restrict access to organization-only. This method prevents copying to unmanaged devices.
Trainable classifiers recommend these measures when content contains healthcare-adjacent information.
Internal Only
Administrative policies, HR documents, facility management records. No encryption but prevents external sharing. Applied manually or by default on designated internal sites.
Public
Patient education materials, public health announcements, marketing content. No restrictions. Explicitly labeled to confirm intentional public classification.
Auto-Labeling Configuration
Manual labeling alone does not ensure HIPAA compliance. Users frequently forget or misclassify documents. Auto-labeling policies improve this process by:
- Utilizing sensitive information types (SITs)
- Identifying patterns of protected health information (PHI)
- Automatically applying the correct sensitivity label
- Key SITs for healthcare include:
- U.S. Social Security Number (SSN): Combined with medical terms to distinguish healthcare context from HR/financial use
- Medical Record Number (MRN): Custom SIT using regex patterns matching your organization's MRN format
- ICD-10 Diagnosis Codes: Custom SIT matching the ICD-10-CM code pattern (letter followed by 2-7 characters)
- Drug Enforcement Agency (DEA) Numbers: Identifies prescriber information in controlled substance documentation
- Health Insurance Claim Numbers: Detects Medicare/Medicaid beneficiary identifiers
Auto-labeling policies should run in simulation mode for 7-14 days before enforcement to validate accuracy and minimize false positives that disrupt clinical workflows.
Pillar 2: Data Loss Prevention (DLP) Policies for Healthcare
DLP policies prevent unauthorized sharing of PHI across SharePoint, OneDrive, Teams, Exchange, and endpoints. Healthcare organizations need layered DLP policies that address different risk scenarios.
Essential DLP Policy Set
External Sharing Block
Blocks sharing of PHI-labeled content with external recipients. Applies to SharePoint, OneDrive, Teams chat, and Exchange email. Overridable only by compliance officers with business justification logging.
Unmanaged Device Restriction
Prevents download, print, or copy of PHI-labeled content on personal devices. Allows view-only access through browser with no local caching. Enforced via Microsoft Defender for Cloud Apps.
Bulk PHI Transfer Detection
Alerts when more than 10 PHI-containing documents are downloaded or shared within a 24-hour window. Potential indicator of data exfiltration or breach. Triggers incident review workflow.
Cross-Department PHI Boundary
Restricts PHI sharing between departments that do not have treatment, payment, or operations (TPO) relationships. Uses information barriers in combination with DLP to enforce minimum necessary access.
DLP Policy Tips and User Education
Effective Data Loss Prevention (DLP) depends on user cooperation. Policy tips provide real-time warnings when users attempt actions that violate DLP rules. These tips clarify the restrictions and suggest compliant alternatives.
For healthcare organizations, policy tips should:
- Reference specific HIPAA requirements to strengthen compliance culture.
- Be clear and actionable.
- Be non-punitive to support clinical workflow efficiency.
Pillar 3: Conditional Access and Zero Trust for Healthcare
Microsoft 365 conditional access policies enforce HIPAA's access control requirements by evaluating user identity, device compliance, location, and risk level before granting access to PHI.
Required Conditional Access Policies
- MFA for all PHI access: Require multi-factor authentication for any session accessing SharePoint sites containing PHI-labeled content. Use phishing-resistant methods (FIDO2 keys, Windows Hello) for clinical workstations.
- Compliant device requirement: Require Intune-enrolled, compliant devices for full access to PHI sites. Block or limit access from non-compliant devices to browser-only with no download capability.
- Named location restrictions: Restrict PHI access to approved networks (hospital campus, VPN, approved home office IPs). Block access from high-risk countries entirely.
- Session controls: Enforce 8-hour session limits for PHI access with re-authentication. Implement 15-minute idle timeout for clinical workstations in shared spaces (nurse stations, exam rooms).
- Risk-based access: Integrate Microsoft Entra ID Protection sign-in risk signals. Block high-risk sign-ins immediately and require password change plus MFA for medium-risk.
Device Management for Clinical Environments
Healthcare environments face unique challenges in device management. Shared clinical workstations, mobile devices used during rounds, and kiosk-mode tablets in patient rooms require specific Intune policies.
EPC Group sets up device compliance policies that balance security with clinical workflow needs. These include:
- Automatic sign-out on shared devices
- App protection policies for mobile clinical apps
- Conditional access exceptions for approved medical devices
Pillar 4: Audit Logging and HIPAA-Required Monitoring
HIPAA requires healthcare organizations to use audit controls. These controls help track and review activities in systems that hold PHI. SharePoint has built-in audit features that are enhanced by Microsoft Purview Audit (Premium).
Together, these tools provide a solid foundation for compliance.
Audit Configuration Requirements
- 365-day log retention: HIPAA requires six-year document retention, but audit logs must be retained for a minimum of one year with Microsoft Purview Audit (Premium). Export logs to Azure Sentinel or a SIEM for long-term archival beyond one year.
- Custom audit policies: Create targeted audit policies for PHI-labeled SharePoint sites that capture file access, modification, deletion, sharing, download, and permission changes.
- MailItemsAccessed logging: For Exchange-based PHI (referral letters, lab results sent via email), enable MailItemsAccessed auditing to track every email open event.
- Alert policies: Configure real-time alerts for suspicious PHI access patterns including off-hours access, bulk downloads, access from new devices/locations, and permission elevation attempts.
- Regular audit reviews: Establish weekly automated audit reports for PHI access, with quarterly human review by the compliance team and annual review by external auditors.
Breach Detection and Response
HIPAA's Breach Notification Rule mandates notification within 60 days of discovering a breach that impacts 500 or more individuals. To evaluate the breach's scope, you must analyze affected records and the timeline.
- SharePoint audit logs provide essential forensic data.
- DLP incident reports also offer critical insights.
EPC Group uses automated breach detection workflows. These workflows utilize Microsoft Sentinel playbooks to:
- Correlate audit events
- Analyze DLP incidents
- Monitor Defender alerts
This approach helps identify potential breaches in near real-time.
Pillar 5: Teams Compliance for Telehealth
Microsoft Teams has become the primary telehealth platform for many healthcare organizations. HIPAA compliance for Teams requires specific governance controls beyond standard enterprise Teams deployment.
- Compliance recording: Enable policy-based compliance recording for telehealth appointments using certified recording partners. Recordings must be stored in HIPAA-compliant storage with PHI sensitivity labels applied automatically.
- Meeting policies: Restrict who can record meetings, disable transcription unless clinically required, prevent lobby bypass for external patients, enforce meeting end times to prevent accidental PHI disclosure in back-to-back appointments.
- Information barriers: Prevent communication between departments that should not share PHI (e.g., marketing and clinical departments). Information barriers block Teams chat, calling, and meeting invitations between barriered segments.
- Guest access governance: External specialists and consulting physicians need Teams access for care coordination. Configure guest access with time-limited sessions, restricted to specific Teams and channels, with full audit logging of all guest activities.
- Chat retention and eDiscovery: Apply retention policies to Teams chat containing PHI. Configure eDiscovery holds for litigation and regulatory investigations. Ensure chat data is searchable and exportable for compliance requests.
Business Associate Agreement (BAA) Documentation
To use SharePoint, Teams, or any Microsoft 365 service for storing or processing PHI, you need a signed BAA with Microsoft. This agreement is necessary for eligible services accessed through qualifying license plans.
- E3
- E5
- G3
- G5
- BAA acceptance: Accepted through the Microsoft 365 admin center under Settings, Org Settings, Security & Privacy. The organization's global admin must formally accept the BAA.
- Covered services: SharePoint Online, OneDrive for Business, Exchange Online, Microsoft Teams, Azure Active Directory (Entra ID), Microsoft Purview, and Microsoft Defender are all covered under the BAA.
- Third-party add-ins: Any third-party SharePoint apps, Teams apps, or Power Platform connectors that process PHI require separate BAAs with those vendors. Evaluate every marketplace app before deployment.
- Subprocessor management: Microsoft maintains a list of subprocessors. Healthcare organizations should review this list quarterly and assess subprocessor compliance with organizational security requirements.
Implementation Roadmap: 90-Day HIPAA Governance Sprint
Healthcare organizations can achieve HIPAA-aligned SharePoint governance in 90 days with a structured approach. EPC Group's proven methodology follows this timeline:
- Weeks 1-2: Assessment and Discovery — Inventory all SharePoint sites containing PHI, document current sharing and access patterns, identify governance gaps against HIPAA requirements, review existing BAA coverage.
- Weeks 3-4: Sensitivity Labels and Classification — Design label taxonomy, configure sensitive information types for PHI, deploy auto-labeling policies in simulation mode, train compliance team on label management.
- Weeks 5-6: DLP Policy Deployment — Implement DLP policies in test mode, validate against clinical workflows, tune rules to minimize false positives, deploy policy tips for user education.
- Weeks 7-8: Conditional Access and Device Management — Deploy conditional access policies, configure Intune device compliance, implement session controls for clinical workstations, test clinical workflow impact.
- Weeks 9-10: Audit and Monitoring — Enable Purview Audit Premium, configure custom audit policies, deploy alert rules, set up audit review workflows and dashboards.
- Weeks 11-12: Teams Compliance and Validation — Configure telehealth governance controls, deploy information barriers, conduct end-to-end compliance testing, document all configurations for audit readiness.
Partner with EPC Group for Healthcare SharePoint Governance
EPC Group has implemented HIPAA-compliant SharePoint governance for healthcare organizations ranging from community health alliances to multi-state hospital networks. Our SharePoint consulting team combines deep Microsoft 365 expertise with healthcare compliance knowledge to deliver governance frameworks that protect PHI without disrupting clinical workflows. As author of multiple Microsoft Press books on SharePoint governance, Errin O'Connor brings unmatched expertise to every healthcare engagement.
Whether you need a comprehensive HIPAA governance assessment, specific Microsoft 365 compliance configurations, or ongoing governance management, EPC Group delivers enterprise-grade solutions for healthcare organizations of every size.
Schedule Your HIPAA SharePoint Assessment
Get a comprehensive review of your SharePoint environment against HIPAA requirements. Our team identifies gaps, prioritizes remediation, and delivers a 90-day governance roadmap.
Frequently Asked Questions
Is SharePoint Online HIPAA compliant out of the box?
No. Microsoft 365 and SharePoint Online are HIPAA-capable, meaning Microsoft will sign a Business Associate Agreement (BAA) and the platform supports the required security controls. However, HIPAA compliance requires proper configuration including sensitivity labels, DLP policies, conditional access policies, audit logging, and user training. Without these configurations, SharePoint does not meet HIPAA requirements. EPC Group configures all required controls as part of our healthcare governance engagements.
What Microsoft 365 license is required for HIPAA-compliant SharePoint?
For full HIPAA compliance, organizations need Microsoft 365 E5 or E3 with compliance add-ons. E5 includes Microsoft Purview Information Protection, advanced DLP, eDiscovery Premium, and advanced audit capabilities. E3 organizations can add the Microsoft 365 E5 Compliance add-on ($12/user/month) for equivalent capabilities. EPC Group helps healthcare organizations optimize licensing to meet compliance requirements without overspending.
How do Purview sensitivity labels protect PHI in SharePoint?
Microsoft Purview sensitivity labels classify and protect PHI by applying encryption, access restrictions, watermarks, and headers to documents and emails containing protected health information. Labels can be applied manually by users, recommended by AI-based classifiers, or auto-applied based on content inspection rules that detect PHI patterns like medical record numbers, diagnosis codes, and patient identifiers. Labels persist with documents even when shared externally.
Can healthcare organizations use Microsoft Teams for telehealth under HIPAA?
Yes, Microsoft Teams can be used for telehealth when properly configured under a signed BAA. Requirements include enabling compliance recording, configuring meeting policies to prevent unauthorized recording, implementing information barriers between departments, enabling audit logging for all meetings, and ensuring guest access policies restrict external participants appropriately. EPC Group implements Teams telehealth governance as part of our healthcare compliance practice.
What audit logging is required for HIPAA compliance in SharePoint?
HIPAA requires audit logs that track all access to PHI including who accessed the data, when, what actions were taken, and from which device/location. In SharePoint, this requires enabling Microsoft Purview Audit (Premium) for 365-day log retention, configuring custom audit policies for PHI-labeled content, setting up alerts for suspicious access patterns, and establishing regular audit review procedures. Logs must be retained for a minimum of six years per HIPAA requirements.