Sharepoint and HIPAA Compliance

A web-based document management and storage system, SharePoint is one of the most popular leading collaborative services available, used by 78% of Fortune 500 firms. The service relies on Microsoft’s OpenXML document standard and therefore integrates seamlessly with the Microsoft Office platform.

SharePoint provides many similar functions to Google Drive and Dropbox – although SharePoint is considered to be a much more versatile platform that can also be integrated with internet portals and intranet sites, and can make up the foundations of a CRM system.

With such a wide variety of functions it a good match for healthcare groups. However it must be considered if it is HIPAA compliant. Does the platform include all the necessary security features needed under HIPAA regulations.

The first consideration to make is the suitability of a platform for use in healthcare sector in the United States is if the platform supplier will complete a business associate agreement with a HIPAA covered body or one of its business associates. Without a BAA, a platform must not be used in tandem with any protected health information (PHI).

Microsoft is willing to sign a business associate agreement with HIPAA covered entities for Office 365 and Yammer, but does this include SharePoint?

Microsoft states on its official website that SharePoint Online supports HIPAA compliance when paired with Office 365 Enterprise, and that its BAA for Office 365 Enterprise does incorporate SharePoint Online.

While no software service can be completely HIPAA compliant, SharePoint does include the necessary administrative and technical security measures to adhere with HIPAA rules, and HIPAA covered entities can use the service in a HIPAA compliant fashion.

Microsoft will also make sure it meets its duties as a business associate, but it is the duty of users to ensure HIPAA rules are complied with and that the platform is configured properly. Covered entities must set access controls for people, audit controls must be implemented, logs must be reviewed, appropriate security controls set up, and users must receive training on using the platform compliantly when sharing PHI.

If a BAA is completed, the platform is set up and used properly, SharePoint can be thought of as HIPAA compliant document management, document storage, and collaborative service.