Sharepoint and HIPAA Compliance

by | Feb 22, 2018

A web-based document management and storage system, SharePoint is one of the most popular leading collaborative services available, used by 78% of Fortune 500 firms. The service relies on Microsoft’s OpenXML document standard and therefore integrates seamlessly with the Microsoft Office platform.

SharePoint provides many similar functions to Google Drive and Dropbox – although SharePoint is considered to be a much more versatile platform that can also be integrated with internet portals and intranet sites, and can make up the foundations of a CRM system.

With such a wide variety of functions it a good match for healthcare groups. However it must be considered if it is HIPAA compliant. Does the platform include all the necessary security features needed under HIPAA regulations.

The first consideration to make is the suitability of a platform for use in healthcare sector in the United States is if the platform supplier will complete a business associate agreement with a HIPAA covered body or one of its business associates. Without a BAA, a platform must not be used in tandem with any protected health information (PHI).

Microsoft is willing to sign a business associate agreement with HIPAA covered entities for Office 365 and Yammer, but does this include SharePoint?

Microsoft states on its official website that SharePoint Online supports HIPAA compliance when paired with Office 365 Enterprise, and that its BAA for Office 365 Enterprise does incorporate SharePoint Online.

While no software service can be completely HIPAA compliant, SharePoint does include the necessary administrative and technical security measures to adhere with HIPAA rules, and HIPAA covered entities can use the service in a HIPAA compliant fashion.

Microsoft will also make sure it meets its duties as a business associate, but it is the duty of users to ensure HIPAA rules are complied with and that the platform is configured properly. Covered entities must set access controls for people, audit controls must be implemented, logs must be reviewed, appropriate security controls set up, and users must receive training on using the platform compliantly when sharing PHI.

If a BAA is completed, the platform is set up and used properly, SharePoint can be thought of as HIPAA compliant document management, document storage, and collaborative service.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy