Copilot and HIPAA: What Healthcare CIOs Must Know
The BAA covers the platform. It does not cover your broken permissions. Here is what you need to fix before Copilot touches PHI.
Microsoft signs a HIPAA BAA for M365 Copilot — but the BAA covers the platform, not your broken permissions. Before enabling Copilot for any clinical user, you must audit SharePoint permissions, classify PHI with sensitivity labels, and block unauthorized PHI access. EPC Group has deployed Copilot for 9 Houston healthcare systems under HIPAA BAA with zero PHI exposure events.
Key Facts
- Microsoft's HIPAA BAA covers M365 Copilot when properly executed at tenant creation.
- The BAA does not fix broken SharePoint permissions — that work is the customer's responsibility.
- Copilot can access Teams meeting recordings, SharePoint medical records, email attachments, OneDrive clinical notes, and Teams chat discussions.
- EPC Group's healthcare-specific 47-Point Checklist covers PHI data protection, access controls, clinical workflow, and compliance audit.
- HIPAA-compliant Copilot deployment takes 11–14 weeks across four phases.
- 9 Houston healthcare systems live in production with M365 Copilot under HIPAA BAA — zero PHI exposure events.
HIPAA + Copilot: The BAA Covers the Platform
Quick Answer: Yes, Microsoft Copilot for M365 is covered under Microsoft's Business Associate Agreement (BAA). Microsoft processes Copilot queries within the M365 compliance boundary and does not use your data to train foundation models. The BAA covers the platform. But the BAA does not cover your tenant configuration — and that is where every healthcare HIPAA violation with Copilot originates.
Healthcare CIOs often ask, “Is Copilot HIPAA compliant?” However, this question misses the main point. The real concern is, “Is our Microsoft 365 tenant configured to stop Copilot from revealing PHI to unauthorized users?”
For most healthcare organizations we audit, the answer is no.
Microsoft's BAA ensures that the platform's infrastructure meets HIPAA requirements. This includes:
- Data encryption
- Data residency
- Access controls at the service level
However, Copilot uses the permissions of each individual user.
- If your SharePoint sites have broken permission inheritance,
- If your Teams meeting recordings are accessible to all channel members,
- If your email attachments containing lab results are in shared mailboxes with broad access,
Copilot will expose that PHI to anyone who asks.
EPC Group has deployed M365 and Copilot for healthcare organizations for over 29 years. Our Healthcare Copilot Safety Blueprint addresses the unique challenge of healthcare: protecting PHI while maintaining the data accessibility clinicians need for patient care.
But the BAA Does Not Cover Broken Permissions
The Core Problem: In healthcare tenant audits, EPC Group finds an average of 12-18 SharePoint sites containing PHI with overshared permissions. This means non-clinical staff — HR, finance, facilities, IT — can access patient records, lab results, and clinical documentation. Before Copilot, this was a latent risk. With Copilot, it becomes an active HIPAA violation the moment a non-clinical employee asks Copilot a question and it surfaces PHI from an overshared site.
The distinction is crucial from a legal perspective. Under HIPAA, a covered entity must implement appropriate administrative, physical, and technical safeguards for PHI.
The BAA identifies Microsoft as a business associate. This designation makes Microsoft responsible for platform-level safeguards.
However, tenant-level access controls are the responsibility of the covered entity. This includes:
- Who can access specific SharePoint sites
- Who can access particular Teams channels
- Who can access shared mailboxes
When OCR investigates a PHI breach, they check if the covered entity has reasonable access controls in place. Simply stating, “We have a BAA with Microsoft,” does not prove that you limited PHI access to authorized users.
If Copilot shows patient records to a facilities manager with access to a clinical SharePoint site, this indicates a failure in your access controls. This issue does not stem from Microsoft’s platform.
Real Scenario: A hospital system with 3,000 employees deployed Copilot without conducting a permission audit. Within two weeks, an HR analyst used Copilot to research employee benefits. The response included patient treatment notes from a SharePoint site that was shared with “Everyone except external users.”
The site was created 4 years ago by a clinical department to allow quick collaboration. Unfortunately, the broad permissions were never revoked.
This oversight resulted in a HIPAA violation, which exposed 47 patient records.
PHI Exposure Risks: Where Copilot Finds Patient Data
Copilot searches across all M365 services available to a user. In healthcare, Protected Health Information (PHI) exists in every service. Permission gaps can lead to new exposure paths that were not present before Copilot.
Teams Meeting Recordings
The Risk
Clinical case conferences, patient consultations, and care coordination meetings are automatically transcribed. Copilot indexes these transcriptions and can surface patient names, diagnoses, treatment plans, and medication discussions to any user with access to the Teams channel or meeting recording.
Mitigation
Restrict meeting recording access to meeting organizers and designated compliance staff. Implement sensitivity labels on clinical meeting recordings. Configure retention policies to auto-delete transcriptions after review period.
SharePoint Medical Records
The Risk
Patient records, lab results, imaging reports, and clinical documentation stored in SharePoint are fully searchable by Copilot. Sites with broken permission inheritance or "Everyone except external users" access grant organization-wide PHI exposure.
Mitigation
Audit all clinical SharePoint sites for permission inheritance breaks. Remove broad-scope permissions. Apply sensitivity labels with encryption. Implement site-level access reviews on a 90-day cycle.
Email Attachments
The Risk
Lab results, referral letters, insurance authorizations, and patient correspondence sent as email attachments are indexed by Copilot. Shared mailboxes used by clinical departments are particularly high-risk — Copilot can surface any attachment from a shared mailbox to any user with mailbox access.
Mitigation
Deploy DLP policies scanning email attachments for PHI patterns (MRN, SSN, diagnostic codes). Configure sensitivity labels for clinical email. Restrict shared mailbox access to authorized clinical staff only.
OneDrive Clinical Notes
The Risk
Physicians and clinical staff frequently store patient notes, care plans, and clinical documentation in OneDrive for convenience. If OneDrive sharing defaults are set to "People in your organization," these files become Copilot-accessible to everyone.
Mitigation
Change OneDrive sharing defaults to "Specific people" only. Deploy auto-labeling policies that detect PHI in OneDrive files. Configure DLP policies blocking broad sharing of PHI-containing documents.
Teams Chat Discussions
The Risk
Clinical staff discussing patients in Teams channels and chats creates searchable PHI. Copilot can surface these conversations when users ask questions about patients, cases, or clinical decisions — even if the user asking is in a non-clinical department with channel access.
Mitigation
Implement information barriers between clinical and non-clinical departments. Create dedicated clinical Teams channels with restricted membership. Deploy DLP policies scanning Teams messages for PHI patterns.
Healthcare-Specific 47-Point Checklist
EPC Group's Healthcare Copilot Safety Blueprint improves our standard 47-Point Framework. It adds HIPAA-specific controls to address unique risks.
These additional checkpoints focus on:
- Risks related to Protected Health Information (PHI)
- Areas often overlooked by general security assessments
PHI Data Protection
- PHI data classification scan across all M365 services
- Sensitivity labels configured for PHI with encryption
- Auto-labeling policies detecting PHI patterns (MRN, SSN, ICD codes)
- DLP policies preventing PHI in Copilot-generated content
- PHI retention policies aligned with state and federal requirements
- External sharing blocked for PHI-labeled content
Access Controls
- Information barriers between clinical and administrative departments
- SharePoint clinical site permission inheritance audit
- Teams clinical channel membership review
- Shared mailbox access restricted to authorized clinical staff
- Guest access review (vendors, contractors, referring physicians)
- Former employee and contractor access termination verification
Clinical Workflow
- Teams meeting recording policies for clinical meetings
- Clinical Teams channel Copilot access configuration
- Copilot prompt guardrails for clinical use cases
- Clinical document template standardization
- Care coordination workflow PHI boundary analysis
- EHR integration data flow security review
Compliance & Audit
- Copilot audit logging for PHI-returning queries
- BAA validation for all M365 services in use
- HIPAA-specific retention policies for clinical content
- Breach notification procedure for Copilot-related PHI exposure
- OCR investigation readiness documentation
- Annual HIPAA security risk assessment integration
Remediation for Healthcare: Balancing Access and Protection
Healthcare remediation faces unique challenges. Overly restricted access can hinder patient care. For example, if a clinical team loses access to shared documents during a shift, it may lead to patient safety issues.
EPC Group's healthcare approach ensures that:
- Every permission change is validated.
- Clinical workflow analysis is conducted before implementation.
Phase 1: PHI Identification (Weeks 1-3)
Use Microsoft Purview data classification to scan all M365 services for PHI. Include custom healthcare content types such as:
- MRN patterns
- ICD-10 codes
- LOINC codes
Next, map every location where PHI is stored and identify who currently has access. This will create the baseline exposure map.
Phase 2: Clinical Workflow Validation (Weeks 4-6)
Before changing any permissions, confirm with clinical leadership the access needed for care delivery. It is important to map data flows between departments, including:
- Referrals
- Care coordination
- Case management
- Discharge planning
Identify the minimum access required for each role. This helps avoid the common issue of disrupting clinical workflows during remediation.
Phase 3: Permission Remediation (Weeks 7-10)
Implement permission changes in stages. Start with non-clinical sites such as HR, finance, and facilities. These areas have a lower risk to patient safety.
- Deploy sensitivity labels and DLP policies.
- Set up information barriers between clinical and administrative departments.
- Validate clinical workflows after each stage.
Phase 4: Copilot Pilot (Weeks 11-14)
Deploy Copilot to 50-100 users in clinical and administrative departments. Monitor usage logs to find patterns of PHI exposure.
Ensure that information barriers are effective in preventing cross-department PHI leakage.
Refine DLP policies based on actual Copilot usage. Document evidence of HIPAA compliance to prepare for OCR readiness.
EPC Group's Healthcare Track Record
700+
M365 Tenants Secured
29
Years Microsoft Expertise
100%
HIPAA Audit Pass Rate
EPC Group's healthcare practice includes:
- Hospital systems
- Health insurance providers
- Clinical research organizations
- Pharmaceutical companies
- Medical device manufacturers
We recognize that healthcare IT goes beyond security. It is essential for helping clinicians provide patient care while safeguarding the data created during that care.
Our HIPAA-Compliant Microsoft 365 Deployment Guide provides the complete framework for healthcare organizations deploying or securing M365 — from initial configuration through Copilot enablement. The Healthcare Copilot Safety Blueprint is an extension of this proven methodology, adapted for the specific risks that AI-powered search introduces to PHI-containing environments.
Frequently Asked Questions
Is Microsoft Copilot HIPAA compliant for healthcare organizations?
Yes — Microsoft Copilot for M365 is covered under Microsoft's Business Associate Agreement (BAA), which is a prerequisite for HIPAA compliance. However, the BAA only covers the platform, not your configuration. If your M365 tenant has overshared SharePoint sites containing patient records, broken permission inheritance exposing PHI, or Teams meeting recordings with clinical discussions, Copilot will surface that data to any user with access — creating HIPAA violations regardless of the BAA. HIPAA compliance requires both the BAA (platform) and proper tenant configuration (your responsibility).
Can Copilot access protected health information (PHI)?
Copilot can access any data that the user querying it has access to — including PHI stored in SharePoint, OneDrive, Exchange, and Teams. If a non-clinical employee has been inadvertently granted access to a SharePoint site containing patient records (a common finding in healthcare tenant audits), Copilot will surface that PHI in response to their queries. The risk is amplified because Copilot makes data discovery effortless — users don't need to know where PHI is stored or navigate to it. A simple prompt like "summarize recent patient discussions" could surface PHI from Teams meetings, emails, and documents across the entire tenant.
What PHI exposure risks does Copilot create in healthcare?
The top PHI exposure risks from Copilot in healthcare environments are: 1) Teams meeting recordings — clinical case discussions, patient consultations, and care coordination meetings are transcribed and searchable by Copilot, 2) SharePoint medical records — patient data stored in SharePoint libraries with overshared permissions becomes Copilot-accessible, 3) Email attachments — lab results, referral letters, and insurance documents attached to emails are indexed by Copilot, 4) OneDrive clinical notes — physicians storing patient notes in OneDrive create PHI exposure if sharing settings are misconfigured, 5) Teams chat — clinical staff discussing patients in Teams channels creates searchable PHI that Copilot can surface to anyone with channel access.
What is the healthcare-specific Copilot security checklist?
EPC Group's Healthcare 47-Point Checklist extends our standard framework with HIPAA-specific controls: PHI data classification scan across all M365 services, information barriers between clinical and administrative departments, sensitivity labels for PHI content with auto-labeling, DLP policies preventing PHI in Copilot-generated outputs, Teams meeting recording policies restricting clinical meeting transcription access, SharePoint site-level permissions audit for all clinical sites, guest access review (vendors, contractors, referring physicians), audit logging for Copilot queries that return PHI, HIPAA-specific retention policies for clinical content, and BAA validation for all M365 services in use.
How long does HIPAA-compliant Copilot deployment take for healthcare?
Healthcare organizations typically require 12-20 weeks for HIPAA-compliant Copilot deployment: Weeks 1-3 for the 47-Point Security Assessment with healthcare overlay, Weeks 4-10 for PHI-specific remediation (permission fixes, sensitivity labels, DLP policies, information barriers), Weeks 11-14 for controlled pilot with clinical champions (50-100 users from both clinical and administrative departments), and Weeks 15-20 for phased department rollout with HIPAA-specific training. This is 50-75% longer than non-healthcare deployments because PHI remediation requires clinical workflow validation — you cannot restrict access to data that clinicians need for patient care.
Does EPC Group have healthcare Copilot deployment experience?
EPC Group has deployed Microsoft 365 and Copilot for healthcare organizations including hospital systems, health insurance providers, clinical research organizations, and medical device companies. Our healthcare practice has 29 years of HIPAA compliance experience across 700+ tenant engagements. We understand the unique challenge of healthcare: balancing data accessibility for patient care with PHI protection for HIPAA compliance. Our Healthcare Copilot Safety Blueprint includes PHI-specific data classification, clinical workflow analysis, and department-level information barriers that protect PHI without disrupting care delivery.
Protect PHI Before Enabling Copilot
EPC Group offers Copilot & M365 Tenant Security Reviews for businesses across all industries. We have secured more than 700 tenants and have 29 years of Microsoft experience. Our aim is to identify what Copilot can access that it should not.
Our Healthcare Copilot Safety Blueprint includes PHI-specific data classification, clinical workflow validation, and HIPAA compliance documentation. Start with the 47-Point Security Review ($15,000).
Copilot and HIPAA: Healthcare Deployment Security Guide 2026
Microsoft has signed a HIPAA BAA for M365 Copilot. This BAA only covers the platform and does not resolve your current permission issues.
Before enabling Copilot for any clinical user, you must:
- Review your existing permissions.
- Ensure compliance with HIPAA regulations.
- Train users on proper usage of the tool.
- Review your existing permissions.
- Ensure compliance with HIPAA regulations.
- Train users on proper usage of Copilot.
- Audit SharePoint permissions.
- Classify PHI with sensitivity labels.
- Block unauthorized PHI access.
EPC Group has successfully deployed Copilot for 9 Houston healthcare systems under the HIPAA BAA, with zero PHI exposure events.
Key facts
- Microsoft's HIPAA BAA covers M365 Copilot when properly executed at tenant creation.
- The BAA does not fix broken SharePoint permissions — that work is the customer's responsibility.
- Copilot can access Teams meeting recordings, SharePoint medical records, email attachments, OneDrive clinical notes, and Teams chat discussions.
- EPC Group's healthcare-specific 47-Point Checklist covers PHI data protection, access controls, clinical workflow, and compliance audit.
- HIPAA-compliant Copilot deployment takes 11–14 weeks across four phases.
- 9 Houston healthcare systems live in production with M365 Copilot under HIPAA BAA — zero PHI exposure events.
The BAA Covers the Platform — Not Broken Permissions
Microsoft's HIPAA Business Associate Agreement applies to the M365 platform. However, it does not cover how you configure permissions.
If a nurse can see an orthopedic surgeon's patient list because of a missed SharePoint permission, Copilot will show that information when the nurse asks a general question.
The BAA is necessary. It is not sufficient. The permissions work is yours to do before any Copilot license goes live.
PHI Exposure Risks: Where Copilot Finds Patient Data
Teams Meeting Recordings
The risk: Clinical discussions, patient case reviews, and M&A strategy meetings are recorded in Teams. These recordings are stored in OneDrive. Any user with access to that OneDrive folder can request Copilot to summarize the recording.
Mitigation:
- Apply sensitivity labels to all clinical meeting recordings.
- Restrict recording storage to a governed Teams channel with clinical-only membership.
- Disable Copilot summarization for meetings flagged as clinical via meeting policies.
SharePoint Medical Records
The risk: Medical record libraries might have broken permission inheritance. This issue can allow clinical staff who are not part of the intended care team to gain access. Additionally, Copilot shows this content when any authorized user searches for related topics.
Mitigation:
- Audit permission inheritance across all SharePoint clinical sites.
- Apply PHI sensitivity labels with encryption — only authorized users can open encrypted content.
- Implement information barriers between clinical and administrative departments.
Email Attachments
The risk: PHI shared as email attachments in Outlook is indexed by Copilot. Clinical staff can ask Copilot to summarize these attachments. This can occur even if the attachments were not intended for wide access.
Mitigation:
- Apply auto-labeling to classify PHI in email attachments.
- Configure DLP policies to block PHI attachment forwarding to non-clinical users.
- Restrict Copilot in Outlook from summarizing PHI-labeled attachments for users without clinical access roles.
OneDrive Clinical Notes
The risk: Clinicians store patient notes in personal OneDrive folders, sometimes using shared-with-everyone links for quick access. Copilot indexes these files across the tenant.
Mitigation:
- Block company-wide sharing links for PHI-labeled content.
- Audit OneDrive files shared beyond the immediate care team.
- Move clinical notes from personal OneDrive to governed SharePoint clinical sites.
Teams Chat Discussions
The risk: Clinical Teams chats containing patient information are searchable by Copilot across the tenant. A user in a different department can ask Copilot to summarize recent clinical discussions.
Mitigation:
- Implement information barriers that prevent Teams chat search across clinical and administrative groups.
- Apply retention policies to clinical Teams chats per HIPAA retention requirements.
- Configure sensitivity labels on Teams channels to restrict Copilot summarization to authorized users.
Healthcare-Specific 47-Point Checklist
PHI Data Protection
- PHI data classification scan across all M365 services
- Sensitivity labels configured for PHI with encryption
- Auto-labeling policies detecting PHI patterns (MRN, SSN, ICD codes)
- DLP policies preventing PHI in Copilot-generated content
- PHI retention policies aligned with state and federal requirements
- External sharing blocked for PHI-labeled content
Access Controls
- Information barriers between clinical and administrative departments
- SharePoint clinical site permission inheritance audit
- Teams clinical channel membership review
- Shared mailbox access restricted to authorized clinical staff
- Guest access revoked from all clinical sites and channels
- Conditional Access policy targeting Copilot-licensed clinical users
Clinical Workflow
- Copilot meeting policies configured per meeting type (clinical vs administrative)
- Teams recording policies reviewed for clinical channels
- OneDrive clinical notes migration to governed SharePoint sites
- Copilot in Outlook restricted for PHI-heavy clinical inboxes
Compliance and Audit
- Microsoft HIPAA BAA executed
- Audit (Premium) enabled for 6-year log retention
- Copilot interaction logs enabled for PHI access review
- Monthly compliance report covering Copilot PHI access events
- Annual HIPAA risk assessment updated to include Copilot scope
HIPAA-Compliant Copilot Deployment Timeline
Phase 1: PHI Identification (Weeks 1–3)
- Run Purview Content Explorer scan to identify PHI across all M365 services
- Map PHI locations: SharePoint sites, Teams channels, OneDrive folders, shared mailboxes
- Score PHI exposure risk by location and access breadth
Phase 2: Clinical Workflow Validation (Weeks 4–6)
- Interview clinical department leads on data access requirements
- Map legitimate clinical access patterns to permissions
- Identify Copilot use cases that clinical staff want to enable
Phase 3: Permission Remediation (Weeks 7–10)
- Apply PHI sensitivity labels and enforce encryption
- Fix SharePoint inheritance breaks on clinical sites
- Implement information barriers
- Deploy DLP policies for Copilot output
- Configure meeting policies per meeting type
Phase 4: Copilot Pilot (Weeks 11–14)
- Assign Copilot licenses to a clinical pilot group (25–50 users)
- Monitor for PHI exposure events in Purview and Sentinel
- Collect clinical user feedback on workflow integration
- Expand to broader clinical population after two clean monitoring weeks
EPC Group's Healthcare Track Record
- 9 Houston healthcare systems live in production with M365 Copilot under HIPAA BAA — zero PHI exposure events.
- 700+ M365 tenants secured for Copilot deployment nationwide.
- 29 years of healthcare IT consulting on Microsoft platforms.
- HIPAA-compliant Microsoft 365 implementations across hospital systems, physician groups, and healthcare payers.
Frequently Asked Questions
Is Microsoft Copilot HIPAA compliant for healthcare organizations?
Yes, Microsoft signs a HIPAA BAA for M365 Copilot when it is properly configured. This BAA applies to the platform. However, healthcare organizations must take several steps before enabling Copilot for clinical users:
- Ensure proper configuration of M365 Copilot.
- Review compliance requirements specific to your organization.
- Train clinical users on the platform's features and limitations.
- Ensure M365 Copilot is correctly set up.
- Review compliance requirements specific to your organization.
- Train clinical users on the proper use of the tool.
- Audit SharePoint permissions
- Classify PHI with sensitivity labels
- Deploy DLP
- Implement information barriers
Can Copilot access protected health information?
Yes, Copilot can access any content that the user is allowed to view. This includes:
- PHI in SharePoint
- Teams recordings
- Email attachments
- OneDrive
If permissions are not set correctly, Copilot may show PHI to users who should not have access.
What PHI exposure risks does Copilot create in healthcare?
There are five main PHI exposure vectors:
- Teams meeting recordings with clinical discussions
- SharePoint medical records with broken permission inheritance
- Email attachments containing PHI
- OneDrive clinical notes with broad sharing links
- Teams chat discussions accessed across department boundaries
How long does HIPAA-compliant Copilot deployment take?
EPC Group's four-phase process lasts 11–14 weeks. The phases are as follows:
- Weeks 1–6: PHI identification and clinical workflow validation.
- Weeks 7–10: Permission remediation.
- Weeks 11–14: Clinical pilot with monitoring.
Does EPC Group have healthcare Copilot deployment experience?
Yes. EPC Group has successfully deployed M365 Copilot for 9 healthcare systems in Houston. This was done under HIPAA BAA, with zero PHI exposure events.
Additionally, we have secured over 700 Microsoft 365 tenants for Copilot deployment across the nation.
Protect PHI Before Enabling Copilot
EPC Group's healthcare Copilot team covers permissions, PHI classification, clinical workflow validation, and HIPAA audit documentation. Call (888) 381-9725 or schedule a healthcare Copilot readiness review.