Copilot and HIPAA: What Healthcare CIOs Must Know
The BAA covers the platform. It does not cover your broken permissions. Here is what you need to fix before Copilot touches PHI.
Microsoft signs a HIPAA BAA for M365 Copilot — but the BAA covers the platform, not your broken permissions. Before enabling Copilot for any clinical user, you must audit SharePoint permissions, classify PHI with sensitivity labels, and block unauthorized PHI access. EPC Group has deployed Copilot for 9 Houston healthcare systems under HIPAA BAA with zero PHI exposure events.
Key Facts
- Microsoft's HIPAA BAA covers M365 Copilot when properly executed at tenant creation.
- The BAA does not fix broken SharePoint permissions — that work is the customer's responsibility.
- Copilot can access Teams meeting recordings, SharePoint medical records, email attachments, OneDrive clinical notes, and Teams chat discussions.
- EPC Group's healthcare-specific 47-Point Checklist covers PHI data protection, access controls, clinical workflow, and compliance audit.
- HIPAA-compliant Copilot deployment takes 11–14 weeks across four phases.
- 9 Houston healthcare systems live in production with M365 Copilot under HIPAA BAA — zero PHI exposure events.
HIPAA + Copilot: The BAA Covers the Platform
Quick Answer: Yes, Microsoft Copilot for M365 is covered under Microsoft's Business Associate Agreement (BAA). Microsoft processes Copilot queries within the M365 compliance boundary and does not use your data to train foundation models. The BAA covers the platform. But the BAA does not cover your tenant configuration — and that is where every healthcare HIPAA violation with Copilot originates.
Healthcare CIOs asking “Is Copilot HIPAA compliant?” are asking the wrong question. The right question is: “Is our Microsoft 365 tenant configured so that Copilot cannot expose PHI to unauthorized users?” For the vast majority of healthcare organizations we audit, the answer is no.
Microsoft's BAA ensures that the platform infrastructure — data encryption, data residency, access controls at the service level — meets HIPAA requirements. But Copilot inherits the permissions of each individual user. If your SharePoint sites have broken permission inheritance, if your Teams meeting recordings are accessible to all channel members, if your email attachments containing lab results are in shared mailboxes with broad access — Copilot will surface that PHI to anyone who asks.
EPC Group has deployed M365 and Copilot for healthcare organizations for over 29 years. Our Healthcare Copilot Safety Blueprint addresses the unique challenge of healthcare: protecting PHI while maintaining the data accessibility clinicians need for patient care.
But the BAA Does Not Cover Broken Permissions
The Core Problem: In healthcare tenant audits, EPC Group finds an average of 12-18 SharePoint sites containing PHI with overshared permissions. This means non-clinical staff — HR, finance, facilities, IT — can access patient records, lab results, and clinical documentation. Before Copilot, this was a latent risk. With Copilot, it becomes an active HIPAA violation the moment a non-clinical employee asks Copilot a question and it surfaces PHI from an overshared site.
The distinction matters legally. Under HIPAA, a covered entity is responsible for implementing appropriate administrative, physical, and technical safeguards for PHI. The BAA makes Microsoft a business associate responsible for platform-level safeguards. But tenant-level access controls — who can access which SharePoint sites, which Teams channels, which shared mailboxes — are the covered entity's responsibility.
When OCR investigates a PHI breach, they examine whether the covered entity implemented reasonable access controls. “We have a BAA with Microsoft” does not demonstrate that you restricted PHI access to authorized users. Copilot surfacing patient records to a facilities manager because their account has access to a clinical SharePoint site is a failure of your access controls, not Microsoft's platform.
Real Scenario: A 3,000-employee hospital system deployed Copilot without a permission audit. Within two weeks, an HR analyst used Copilot to research employee benefits and received a response that included patient treatment notes from a SharePoint site shared with “Everyone except external users.” The site was created 4 years earlier by a clinical department that needed quick collaboration — and the broad permissions were never revoked. This single query constituted a HIPAA violation exposing 47 patient records.
PHI Exposure Risks: Where Copilot Finds Patient Data
Copilot searches across all M365 services a user has access to. In healthcare environments, PHI exists in every service — and permission gaps create exposure paths that did not exist before Copilot.
Teams Meeting Recordings
The Risk
Clinical case conferences, patient consultations, and care coordination meetings are automatically transcribed. Copilot indexes these transcriptions and can surface patient names, diagnoses, treatment plans, and medication discussions to any user with access to the Teams channel or meeting recording.
Mitigation
Restrict meeting recording access to meeting organizers and designated compliance staff. Implement sensitivity labels on clinical meeting recordings. Configure retention policies to auto-delete transcriptions after review period.
SharePoint Medical Records
The Risk
Patient records, lab results, imaging reports, and clinical documentation stored in SharePoint are fully searchable by Copilot. Sites with broken permission inheritance or "Everyone except external users" access grant organization-wide PHI exposure.
Mitigation
Audit all clinical SharePoint sites for permission inheritance breaks. Remove broad-scope permissions. Apply sensitivity labels with encryption. Implement site-level access reviews on a 90-day cycle.
Email Attachments
The Risk
Lab results, referral letters, insurance authorizations, and patient correspondence sent as email attachments are indexed by Copilot. Shared mailboxes used by clinical departments are particularly high-risk — Copilot can surface any attachment from a shared mailbox to any user with mailbox access.
Mitigation
Deploy DLP policies scanning email attachments for PHI patterns (MRN, SSN, diagnostic codes). Configure sensitivity labels for clinical email. Restrict shared mailbox access to authorized clinical staff only.
OneDrive Clinical Notes
The Risk
Physicians and clinical staff frequently store patient notes, care plans, and clinical documentation in OneDrive for convenience. If OneDrive sharing defaults are set to "People in your organization," these files become Copilot-accessible to everyone.
Mitigation
Change OneDrive sharing defaults to "Specific people" only. Deploy auto-labeling policies that detect PHI in OneDrive files. Configure DLP policies blocking broad sharing of PHI-containing documents.
Teams Chat Discussions
The Risk
Clinical staff discussing patients in Teams channels and chats creates searchable PHI. Copilot can surface these conversations when users ask questions about patients, cases, or clinical decisions — even if the user asking is in a non-clinical department with channel access.
Mitigation
Implement information barriers between clinical and non-clinical departments. Create dedicated clinical Teams channels with restricted membership. Deploy DLP policies scanning Teams messages for PHI patterns.
Healthcare-Specific 47-Point Checklist
EPC Group's Healthcare Copilot Safety Blueprint extends our standard 47-Point Framework with HIPAA-specific controls. These additional checkpoints address PHI-specific risks that general-purpose security assessments miss entirely.
PHI Data Protection
- PHI data classification scan across all M365 services
- Sensitivity labels configured for PHI with encryption
- Auto-labeling policies detecting PHI patterns (MRN, SSN, ICD codes)
- DLP policies preventing PHI in Copilot-generated content
- PHI retention policies aligned with state and federal requirements
- External sharing blocked for PHI-labeled content
Access Controls
- Information barriers between clinical and administrative departments
- SharePoint clinical site permission inheritance audit
- Teams clinical channel membership review
- Shared mailbox access restricted to authorized clinical staff
- Guest access review (vendors, contractors, referring physicians)
- Former employee and contractor access termination verification
Clinical Workflow
- Teams meeting recording policies for clinical meetings
- Clinical Teams channel Copilot access configuration
- Copilot prompt guardrails for clinical use cases
- Clinical document template standardization
- Care coordination workflow PHI boundary analysis
- EHR integration data flow security review
Compliance & Audit
- Copilot audit logging for PHI-returning queries
- BAA validation for all M365 services in use
- HIPAA-specific retention policies for clinical content
- Breach notification procedure for Copilot-related PHI exposure
- OCR investigation readiness documentation
- Annual HIPAA security risk assessment integration
Remediation for Healthcare: Balancing Access and Protection
Healthcare remediation is uniquely challenging because restricting access too aggressively can disrupt patient care. A clinical team that loses access to shared documents mid-shift creates a patient safety issue. EPC Group's healthcare approach validates every permission change with clinical workflow analysis before implementation.
Phase 1: PHI Identification (Weeks 1-3)
Scan all M365 services for PHI using Microsoft Purview data classification and custom healthcare content types (MRN patterns, ICD-10 codes, LOINC codes). Map every location where PHI resides and who currently has access. This creates the baseline exposure map.
Phase 2: Clinical Workflow Validation (Weeks 4-6)
Before changing any permissions, validate with clinical leadership which access is required for care delivery. Map data flows between departments — referrals, care coordination, case management, discharge planning. Identify the minimum access each role needs. This prevents the common failure mode of breaking clinical workflows during remediation.
Phase 3: Permission Remediation (Weeks 7-10)
Implement permission changes in waves, starting with non-clinical sites (HR, finance, facilities) where changes carry lower patient safety risk. Deploy sensitivity labels and DLP policies. Configure information barriers between clinical and administrative departments. Validate clinical workflows after each wave.
Phase 4: Copilot Pilot (Weeks 11-14)
Deploy Copilot to 50-100 users from both clinical and administrative departments. Monitor Copilot usage logs for PHI exposure patterns. Validate that information barriers are preventing cross-department PHI leakage. Refine DLP policies based on real-world Copilot usage. Document HIPAA compliance evidence for OCR readiness.
EPC Group's Healthcare Track Record
700+
M365 Tenants Secured
29
Years Microsoft Expertise
100%
HIPAA Audit Pass Rate
EPC Group's healthcare practice spans hospital systems, health insurance providers, clinical research organizations, pharmaceutical companies, and medical device manufacturers. We understand that healthcare IT is not just about security — it is about enabling clinicians to deliver patient care while protecting the data generated by that care.
Our HIPAA-Compliant Microsoft 365 Deployment Guide provides the complete framework for healthcare organizations deploying or securing M365 — from initial configuration through Copilot enablement. The Healthcare Copilot Safety Blueprint is an extension of this proven methodology, adapted for the specific risks that AI-powered search introduces to PHI-containing environments.
Frequently Asked Questions
Is Microsoft Copilot HIPAA compliant for healthcare organizations?
Yes — Microsoft Copilot for M365 is covered under Microsoft's Business Associate Agreement (BAA), which is a prerequisite for HIPAA compliance. However, the BAA only covers the platform, not your configuration. If your M365 tenant has overshared SharePoint sites containing patient records, broken permission inheritance exposing PHI, or Teams meeting recordings with clinical discussions, Copilot will surface that data to any user with access — creating HIPAA violations regardless of the BAA. HIPAA compliance requires both the BAA (platform) and proper tenant configuration (your responsibility).
Can Copilot access protected health information (PHI)?
Copilot can access any data that the user querying it has access to — including PHI stored in SharePoint, OneDrive, Exchange, and Teams. If a non-clinical employee has been inadvertently granted access to a SharePoint site containing patient records (a common finding in healthcare tenant audits), Copilot will surface that PHI in response to their queries. The risk is amplified because Copilot makes data discovery effortless — users don't need to know where PHI is stored or navigate to it. A simple prompt like "summarize recent patient discussions" could surface PHI from Teams meetings, emails, and documents across the entire tenant.
What PHI exposure risks does Copilot create in healthcare?
The top PHI exposure risks from Copilot in healthcare environments are: 1) Teams meeting recordings — clinical case discussions, patient consultations, and care coordination meetings are transcribed and searchable by Copilot, 2) SharePoint medical records — patient data stored in SharePoint libraries with overshared permissions becomes Copilot-accessible, 3) Email attachments — lab results, referral letters, and insurance documents attached to emails are indexed by Copilot, 4) OneDrive clinical notes — physicians storing patient notes in OneDrive create PHI exposure if sharing settings are misconfigured, 5) Teams chat — clinical staff discussing patients in Teams channels creates searchable PHI that Copilot can surface to anyone with channel access.
What is the healthcare-specific Copilot security checklist?
EPC Group's Healthcare 47-Point Checklist extends our standard framework with HIPAA-specific controls: PHI data classification scan across all M365 services, information barriers between clinical and administrative departments, sensitivity labels for PHI content with auto-labeling, DLP policies preventing PHI in Copilot-generated outputs, Teams meeting recording policies restricting clinical meeting transcription access, SharePoint site-level permissions audit for all clinical sites, guest access review (vendors, contractors, referring physicians), audit logging for Copilot queries that return PHI, HIPAA-specific retention policies for clinical content, and BAA validation for all M365 services in use.
How long does HIPAA-compliant Copilot deployment take for healthcare?
Healthcare organizations typically require 12-20 weeks for HIPAA-compliant Copilot deployment: Weeks 1-3 for the 47-Point Security Assessment with healthcare overlay, Weeks 4-10 for PHI-specific remediation (permission fixes, sensitivity labels, DLP policies, information barriers), Weeks 11-14 for controlled pilot with clinical champions (50-100 users from both clinical and administrative departments), and Weeks 15-20 for phased department rollout with HIPAA-specific training. This is 50-75% longer than non-healthcare deployments because PHI remediation requires clinical workflow validation — you cannot restrict access to data that clinicians need for patient care.
Does EPC Group have healthcare Copilot deployment experience?
EPC Group has deployed Microsoft 365 and Copilot for healthcare organizations including hospital systems, health insurance providers, clinical research organizations, and medical device companies. Our healthcare practice has 29 years of HIPAA compliance experience across 700+ tenant engagements. We understand the unique challenge of healthcare: balancing data accessibility for patient care with PHI protection for HIPAA compliance. Our Healthcare Copilot Safety Blueprint includes PHI-specific data classification, clinical workflow analysis, and department-level information barriers that protect PHI without disrupting care delivery.
Protect PHI Before Enabling Copilot
EPC Group performs Copilot & M365 Tenant Security Reviews for enterprises across all industries. With 700+ tenants secured and 29 years of Microsoft expertise, we identify exactly what Copilot can access that it shouldn't.
Our Healthcare Copilot Safety Blueprint includes PHI-specific data classification, clinical workflow validation, and HIPAA compliance documentation. Start with the 47-Point Security Review ($15,000).
Copilot and HIPAA: Healthcare Deployment Security Guide 2026
Microsoft signs a HIPAA BAA for M365 Copilot — but the BAA covers the platform, not your broken permissions. Before enabling Copilot for any clinical user, you must audit SharePoint permissions, classify PHI with sensitivity labels, and block unauthorized PHI access. EPC Group has deployed Copilot for 9 Houston healthcare systems under HIPAA BAA with zero PHI exposure events.
Key facts
- Microsoft's HIPAA BAA covers M365 Copilot when properly executed at tenant creation.
- The BAA does not fix broken SharePoint permissions — that work is the customer's responsibility.
- Copilot can access Teams meeting recordings, SharePoint medical records, email attachments, OneDrive clinical notes, and Teams chat discussions.
- EPC Group's healthcare-specific 47-Point Checklist covers PHI data protection, access controls, clinical workflow, and compliance audit.
- HIPAA-compliant Copilot deployment takes 11–14 weeks across four phases.
- 9 Houston healthcare systems live in production with M365 Copilot under HIPAA BAA — zero PHI exposure events.
The BAA Covers the Platform — Not Broken Permissions
Microsoft's HIPAA Business Associate Agreement covers the M365 platform. It does not cover your permissions configuration. If a nurse has access to an orthopedic surgeon's patient roster because someone forgot to fix an inherited SharePoint permission, Copilot will surface that data when the nurse asks a general question.
The BAA is necessary. It is not sufficient. The permissions work is yours to do before any Copilot license goes live.
PHI Exposure Risks: Where Copilot Finds Patient Data
Teams Meeting Recordings
The risk: Clinical discussions, patient case reviews, and M&A strategy meetings are recorded in Teams. Recordings are stored in OneDrive. Any user with access to that OneDrive folder can ask Copilot to summarize the recording.
Mitigation:
- Apply sensitivity labels to all clinical meeting recordings.
- Restrict recording storage to a governed Teams channel with clinical-only membership.
- Disable Copilot summarization for meetings flagged as clinical via meeting policies.
SharePoint Medical Records
The risk: Medical record libraries with broken permission inheritance grant access to clinical staff beyond the intended care team. Copilot surfaces this content when any authorized user queries related topics.
Mitigation:
- Audit permission inheritance across all SharePoint clinical sites.
- Apply PHI sensitivity labels with encryption — only authorized users can open encrypted content.
- Implement information barriers between clinical and administrative departments.
Email Attachments
The risk: PHI shared as email attachments in Outlook is indexed by Copilot. Clinical staff can ask Copilot to summarize attachments from emails they received — even if those attachments were not intended for broad access.
Mitigation:
- Apply auto-labeling to classify PHI in email attachments.
- Configure DLP policies to block PHI attachment forwarding to non-clinical users.
- Restrict Copilot in Outlook from summarizing PHI-labeled attachments for users without clinical access roles.
OneDrive Clinical Notes
The risk: Clinicians store patient notes in personal OneDrive folders, sometimes using shared-with-everyone links for quick access. Copilot indexes these files across the tenant.
Mitigation:
- Block company-wide sharing links for PHI-labeled content.
- Audit OneDrive files shared beyond the immediate care team.
- Move clinical notes from personal OneDrive to governed SharePoint clinical sites.
Teams Chat Discussions
The risk: Clinical Teams chats containing patient information are searchable by Copilot across the tenant. A user in a different department can ask Copilot to summarize recent clinical discussions.
Mitigation:
- Implement information barriers that prevent Teams chat search across clinical and administrative groups.
- Apply retention policies to clinical Teams chats per HIPAA retention requirements.
- Configure sensitivity labels on Teams channels to restrict Copilot summarization to authorized users.
Healthcare-Specific 47-Point Checklist
PHI Data Protection
- PHI data classification scan across all M365 services
- Sensitivity labels configured for PHI with encryption
- Auto-labeling policies detecting PHI patterns (MRN, SSN, ICD codes)
- DLP policies preventing PHI in Copilot-generated content
- PHI retention policies aligned with state and federal requirements
- External sharing blocked for PHI-labeled content
Access Controls
- Information barriers between clinical and administrative departments
- SharePoint clinical site permission inheritance audit
- Teams clinical channel membership review
- Shared mailbox access restricted to authorized clinical staff
- Guest access revoked from all clinical sites and channels
- Conditional Access policy targeting Copilot-licensed clinical users
Clinical Workflow
- Copilot meeting policies configured per meeting type (clinical vs administrative)
- Teams recording policies reviewed for clinical channels
- OneDrive clinical notes migration to governed SharePoint sites
- Copilot in Outlook restricted for PHI-heavy clinical inboxes
Compliance and Audit
- Microsoft HIPAA BAA executed
- Audit (Premium) enabled for 6-year log retention
- Copilot interaction logs enabled for PHI access review
- Monthly compliance report covering Copilot PHI access events
- Annual HIPAA risk assessment updated to include Copilot scope
HIPAA-Compliant Copilot Deployment Timeline
Phase 1: PHI Identification (Weeks 1–3)
- Run Purview Content Explorer scan to identify PHI across all M365 services
- Map PHI locations: SharePoint sites, Teams channels, OneDrive folders, shared mailboxes
- Score PHI exposure risk by location and access breadth
Phase 2: Clinical Workflow Validation (Weeks 4–6)
- Interview clinical department leads on data access requirements
- Map legitimate clinical access patterns to permissions
- Identify Copilot use cases that clinical staff want to enable
Phase 3: Permission Remediation (Weeks 7–10)
- Apply PHI sensitivity labels and enforce encryption
- Fix SharePoint inheritance breaks on clinical sites
- Implement information barriers
- Deploy DLP policies for Copilot output
- Configure meeting policies per meeting type
Phase 4: Copilot Pilot (Weeks 11–14)
- Assign Copilot licenses to a clinical pilot group (25–50 users)
- Monitor for PHI exposure events in Purview and Sentinel
- Collect clinical user feedback on workflow integration
- Expand to broader clinical population after two clean monitoring weeks
EPC Group's Healthcare Track Record
- 9 Houston healthcare systems live in production with M365 Copilot under HIPAA BAA — zero PHI exposure events.
- 700+ M365 tenants secured for Copilot deployment nationwide.
- 29 years of healthcare IT consulting on Microsoft platforms.
- HIPAA-compliant Microsoft 365 implementations across hospital systems, physician groups, and healthcare payers.
Frequently Asked Questions
Is Microsoft Copilot HIPAA compliant for healthcare organizations?
Yes, when properly configured. Microsoft signs a HIPAA BAA for M365 Copilot. The BAA covers the platform. Healthcare organizations must still audit SharePoint permissions, classify PHI with sensitivity labels, deploy DLP, and implement information barriers before enabling Copilot for clinical users.
Can Copilot access protected health information?
Yes. Copilot accesses any content the user has permission to reach — including PHI in SharePoint, Teams recordings, email attachments, and OneDrive. If permissions are broken, Copilot will surface PHI to users who should not have access.
What PHI exposure risks does Copilot create in healthcare?
The five main PHI exposure vectors are: Teams meeting recordings with clinical discussions, SharePoint medical records with broken permission inheritance, email attachments containing PHI, OneDrive clinical notes with broad sharing links, and Teams chat discussions accessed across department boundaries.
How long does HIPAA-compliant Copilot deployment take?
EPC Group's four-phase process takes 11–14 weeks. PHI identification and clinical workflow validation take weeks 1–6. Permission remediation runs weeks 7–10. The clinical pilot with monitoring runs weeks 11–14.
Does EPC Group have healthcare Copilot deployment experience?
Yes. EPC Group has deployed M365 Copilot for 9 Houston healthcare systems under HIPAA BAA with zero PHI exposure events. We have secured 700+ Microsoft 365 tenants for Copilot deployment nationwide.
Protect PHI Before Enabling Copilot
EPC Group's healthcare Copilot team covers permissions, PHI classification, clinical workflow validation, and HIPAA audit documentation. Call (888) 381-9725 or schedule a healthcare Copilot readiness review.