Copilot and HIPAA: What Healthcare CIOs Must Know
The BAA covers the platform. It does not cover your broken permissions. Here is what you need to fix before Copilot touches PHI.
HIPAA + Copilot: The BAA Covers the Platform
Quick Answer: Yes, Microsoft Copilot for M365 is covered under Microsoft's Business Associate Agreement (BAA). Microsoft processes Copilot queries within the M365 compliance boundary and does not use your data to train foundation models. The BAA covers the platform. But the BAA does not cover your tenant configuration — and that is where every healthcare HIPAA violation with Copilot originates.
Healthcare CIOs asking “Is Copilot HIPAA compliant?” are asking the wrong question. The right question is: “Is our Microsoft 365 tenant configured so that Copilot cannot expose PHI to unauthorized users?” For the vast majority of healthcare organizations we audit, the answer is no.
Microsoft's BAA ensures that the platform infrastructure — data encryption, data residency, access controls at the service level — meets HIPAA requirements. But Copilot inherits the permissions of each individual user. If your SharePoint sites have broken permission inheritance, if your Teams meeting recordings are accessible to all channel members, if your email attachments containing lab results are in shared mailboxes with broad access — Copilot will surface that PHI to anyone who asks.
EPC Group has deployed M365 and Copilot for healthcare organizations for over 29 years. Our Healthcare Copilot Safety Blueprint addresses the unique challenge of healthcare: protecting PHI while maintaining the data accessibility clinicians need for patient care.
But the BAA Does Not Cover Broken Permissions
The Core Problem: In healthcare tenant audits, EPC Group finds an average of 12-18 SharePoint sites containing PHI with overshared permissions. This means non-clinical staff — HR, finance, facilities, IT — can access patient records, lab results, and clinical documentation. Before Copilot, this was a latent risk. With Copilot, it becomes an active HIPAA violation the moment a non-clinical employee asks Copilot a question and it surfaces PHI from an overshared site.
The distinction matters legally. Under HIPAA, a covered entity is responsible for implementing appropriate administrative, physical, and technical safeguards for PHI. The BAA makes Microsoft a business associate responsible for platform-level safeguards. But tenant-level access controls — who can access which SharePoint sites, which Teams channels, which shared mailboxes — are the covered entity's responsibility.
When OCR investigates a PHI breach, they examine whether the covered entity implemented reasonable access controls. “We have a BAA with Microsoft” does not demonstrate that you restricted PHI access to authorized users. Copilot surfacing patient records to a facilities manager because their account has access to a clinical SharePoint site is a failure of your access controls, not Microsoft's platform.
Real Scenario: A 3,000-employee hospital system deployed Copilot without a permission audit. Within two weeks, an HR analyst used Copilot to research employee benefits and received a response that included patient treatment notes from a SharePoint site shared with “Everyone except external users.” The site was created 4 years earlier by a clinical department that needed quick collaboration — and the broad permissions were never revoked. This single query constituted a HIPAA violation exposing 47 patient records.
PHI Exposure Risks: Where Copilot Finds Patient Data
Copilot searches across all M365 services a user has access to. In healthcare environments, PHI exists in every service — and permission gaps create exposure paths that did not exist before Copilot.
Teams Meeting Recordings
The Risk
Clinical case conferences, patient consultations, and care coordination meetings are automatically transcribed. Copilot indexes these transcriptions and can surface patient names, diagnoses, treatment plans, and medication discussions to any user with access to the Teams channel or meeting recording.
Mitigation
Restrict meeting recording access to meeting organizers and designated compliance staff. Implement sensitivity labels on clinical meeting recordings. Configure retention policies to auto-delete transcriptions after review period.
SharePoint Medical Records
The Risk
Patient records, lab results, imaging reports, and clinical documentation stored in SharePoint are fully searchable by Copilot. Sites with broken permission inheritance or "Everyone except external users" access grant organization-wide PHI exposure.
Mitigation
Audit all clinical SharePoint sites for permission inheritance breaks. Remove broad-scope permissions. Apply sensitivity labels with encryption. Implement site-level access reviews on a 90-day cycle.
Email Attachments
The Risk
Lab results, referral letters, insurance authorizations, and patient correspondence sent as email attachments are indexed by Copilot. Shared mailboxes used by clinical departments are particularly high-risk — Copilot can surface any attachment from a shared mailbox to any user with mailbox access.
Mitigation
Deploy DLP policies scanning email attachments for PHI patterns (MRN, SSN, diagnostic codes). Configure sensitivity labels for clinical email. Restrict shared mailbox access to authorized clinical staff only.
OneDrive Clinical Notes
The Risk
Physicians and clinical staff frequently store patient notes, care plans, and clinical documentation in OneDrive for convenience. If OneDrive sharing defaults are set to "People in your organization," these files become Copilot-accessible to everyone.
Mitigation
Change OneDrive sharing defaults to "Specific people" only. Deploy auto-labeling policies that detect PHI in OneDrive files. Configure DLP policies blocking broad sharing of PHI-containing documents.
Teams Chat Discussions
The Risk
Clinical staff discussing patients in Teams channels and chats creates searchable PHI. Copilot can surface these conversations when users ask questions about patients, cases, or clinical decisions — even if the user asking is in a non-clinical department with channel access.
Mitigation
Implement information barriers between clinical and non-clinical departments. Create dedicated clinical Teams channels with restricted membership. Deploy DLP policies scanning Teams messages for PHI patterns.
Healthcare-Specific 47-Point Checklist
EPC Group's Healthcare Copilot Safety Blueprint extends our standard 47-Point Framework with HIPAA-specific controls. These additional checkpoints address PHI-specific risks that general-purpose security assessments miss entirely.
PHI Data Protection
- PHI data classification scan across all M365 services
- Sensitivity labels configured for PHI with encryption
- Auto-labeling policies detecting PHI patterns (MRN, SSN, ICD codes)
- DLP policies preventing PHI in Copilot-generated content
- PHI retention policies aligned with state and federal requirements
- External sharing blocked for PHI-labeled content
Access Controls
- Information barriers between clinical and administrative departments
- SharePoint clinical site permission inheritance audit
- Teams clinical channel membership review
- Shared mailbox access restricted to authorized clinical staff
- Guest access review (vendors, contractors, referring physicians)
- Former employee and contractor access termination verification
Clinical Workflow
- Teams meeting recording policies for clinical meetings
- Clinical Teams channel Copilot access configuration
- Copilot prompt guardrails for clinical use cases
- Clinical document template standardization
- Care coordination workflow PHI boundary analysis
- EHR integration data flow security review
Compliance & Audit
- Copilot audit logging for PHI-returning queries
- BAA validation for all M365 services in use
- HIPAA-specific retention policies for clinical content
- Breach notification procedure for Copilot-related PHI exposure
- OCR investigation readiness documentation
- Annual HIPAA security risk assessment integration
Remediation for Healthcare: Balancing Access and Protection
Healthcare remediation is uniquely challenging because restricting access too aggressively can disrupt patient care. A clinical team that loses access to shared documents mid-shift creates a patient safety issue. EPC Group's healthcare approach validates every permission change with clinical workflow analysis before implementation.
Phase 1: PHI Identification (Weeks 1-3)
Scan all M365 services for PHI using Microsoft Purview data classification and custom healthcare content types (MRN patterns, ICD-10 codes, LOINC codes). Map every location where PHI resides and who currently has access. This creates the baseline exposure map.
Phase 2: Clinical Workflow Validation (Weeks 4-6)
Before changing any permissions, validate with clinical leadership which access is required for care delivery. Map data flows between departments — referrals, care coordination, case management, discharge planning. Identify the minimum access each role needs. This prevents the common failure mode of breaking clinical workflows during remediation.
Phase 3: Permission Remediation (Weeks 7-10)
Implement permission changes in waves, starting with non-clinical sites (HR, finance, facilities) where changes carry lower patient safety risk. Deploy sensitivity labels and DLP policies. Configure information barriers between clinical and administrative departments. Validate clinical workflows after each wave.
Phase 4: Copilot Pilot (Weeks 11-14)
Deploy Copilot to 50-100 users from both clinical and administrative departments. Monitor Copilot usage logs for PHI exposure patterns. Validate that information barriers are preventing cross-department PHI leakage. Refine DLP policies based on real-world Copilot usage. Document HIPAA compliance evidence for OCR readiness.
EPC Group's Healthcare Track Record
700+
M365 Tenants Secured
29
Years Microsoft Expertise
100%
HIPAA Audit Pass Rate
EPC Group's healthcare practice spans hospital systems, health insurance providers, clinical research organizations, pharmaceutical companies, and medical device manufacturers. We understand that healthcare IT is not just about security — it is about enabling clinicians to deliver patient care while protecting the data generated by that care.
Our HIPAA-Compliant Microsoft 365 Deployment Guide provides the complete framework for healthcare organizations deploying or securing M365 — from initial configuration through Copilot enablement. The Healthcare Copilot Safety Blueprint is an extension of this proven methodology, adapted for the specific risks that AI-powered search introduces to PHI-containing environments.
Frequently Asked Questions
Is Microsoft Copilot HIPAA compliant for healthcare organizations?
Yes — Microsoft Copilot for M365 is covered under Microsoft's Business Associate Agreement (BAA), which is a prerequisite for HIPAA compliance. However, the BAA only covers the platform, not your configuration. If your M365 tenant has overshared SharePoint sites containing patient records, broken permission inheritance exposing PHI, or Teams meeting recordings with clinical discussions, Copilot will surface that data to any user with access — creating HIPAA violations regardless of the BAA. HIPAA compliance requires both the BAA (platform) and proper tenant configuration (your responsibility).
Can Copilot access protected health information (PHI)?
Copilot can access any data that the user querying it has access to — including PHI stored in SharePoint, OneDrive, Exchange, and Teams. If a non-clinical employee has been inadvertently granted access to a SharePoint site containing patient records (a common finding in healthcare tenant audits), Copilot will surface that PHI in response to their queries. The risk is amplified because Copilot makes data discovery effortless — users don't need to know where PHI is stored or navigate to it. A simple prompt like "summarize recent patient discussions" could surface PHI from Teams meetings, emails, and documents across the entire tenant.
What PHI exposure risks does Copilot create in healthcare?
The top PHI exposure risks from Copilot in healthcare environments are: 1) Teams meeting recordings — clinical case discussions, patient consultations, and care coordination meetings are transcribed and searchable by Copilot, 2) SharePoint medical records — patient data stored in SharePoint libraries with overshared permissions becomes Copilot-accessible, 3) Email attachments — lab results, referral letters, and insurance documents attached to emails are indexed by Copilot, 4) OneDrive clinical notes — physicians storing patient notes in OneDrive create PHI exposure if sharing settings are misconfigured, 5) Teams chat — clinical staff discussing patients in Teams channels creates searchable PHI that Copilot can surface to anyone with channel access.
What is the healthcare-specific Copilot security checklist?
EPC Group's Healthcare 47-Point Checklist extends our standard framework with HIPAA-specific controls: PHI data classification scan across all M365 services, information barriers between clinical and administrative departments, sensitivity labels for PHI content with auto-labeling, DLP policies preventing PHI in Copilot-generated outputs, Teams meeting recording policies restricting clinical meeting transcription access, SharePoint site-level permissions audit for all clinical sites, guest access review (vendors, contractors, referring physicians), audit logging for Copilot queries that return PHI, HIPAA-specific retention policies for clinical content, and BAA validation for all M365 services in use.
How long does HIPAA-compliant Copilot deployment take for healthcare?
Healthcare organizations typically require 12-20 weeks for HIPAA-compliant Copilot deployment: Weeks 1-3 for the 47-Point Security Assessment with healthcare overlay, Weeks 4-10 for PHI-specific remediation (permission fixes, sensitivity labels, DLP policies, information barriers), Weeks 11-14 for controlled pilot with clinical champions (50-100 users from both clinical and administrative departments), and Weeks 15-20 for phased department rollout with HIPAA-specific training. This is 50-75% longer than non-healthcare deployments because PHI remediation requires clinical workflow validation — you cannot restrict access to data that clinicians need for patient care.
Does EPC Group have healthcare Copilot deployment experience?
EPC Group has deployed Microsoft 365 and Copilot for healthcare organizations including hospital systems, health insurance providers, clinical research organizations, and medical device companies. Our healthcare practice has 29 years of HIPAA compliance experience across 700+ tenant engagements. We understand the unique challenge of healthcare: balancing data accessibility for patient care with PHI protection for HIPAA compliance. Our Healthcare Copilot Safety Blueprint includes PHI-specific data classification, clinical workflow analysis, and department-level information barriers that protect PHI without disrupting care delivery.
Protect PHI Before Enabling Copilot
EPC Group performs Copilot & M365 Tenant Security Reviews for enterprises across all industries. With 700+ tenants secured and 29 years of Microsoft expertise, we identify exactly what Copilot can access that it shouldn't.
Our Healthcare Copilot Safety Blueprint includes PHI-specific data classification, clinical workflow validation, and HIPAA compliance documentation. Start with the 47-Point Security Review ($15,000).