Sharepoint and HIPAA Compliance

A web-based document management and storage system, SharePoint is one of the most popular leading collaborative services available, used by 78% of Fortune 500 firms. The service is relies on Microsoft’s OpenXML document standard and therefore integrates seamlessly with the Microsoft Office platform.

SharePoint provides many similar functions to Google Drive and Dropbox, although SharePoint is a much stronger platform and can also be implemented for internet portals, intranet sites and can make up the foundations of a CRM system.

With such a wide variety of functions it a good match for healthcare groups. However it must be considered if it is HIPAA compliant. Does the platform incclude all the necessary duties and security features needed under HIPAA regulations.

The first consideration to make is the suitability of a platform for use in healthcare sector in the United States is if the platform supplier will complete a business associate agreement with a HIPAA covered body or one of its business associates. Without a BAA, a platform must not be used in tandem with any protected health information (PHI).

Microsoft is willing to sign a business associate agreement with HIPAA covered bodies for Office 365 and Yammer, but does this include SharePoint?

Microsoft states on its official website that SharePoint Online supports HIPAA compliance when paired with Office 365 Enterprise, and that its BAA for Office 365 Enterprise does incorporate SharePoint Online.

While no software service can be completely HIPAA compliant, SharePoint does include the necessary administrative and technical security measures to adhere with meet HIPAA Rules and HIPAA covered bodies can use the service in a HIPAA compliant fashion.

Microsoft will also make sure that it meets its duties as a business associate, but it is the duty of users to ensure that HIPAA Rules are adhered to and the platform is configured properly. Covered bodies must set access controls for people or roles, audit controls must be implemented, logs must be reviewed, appropriate security controls set up, and users must receive training on using the platform and the limitations of HIPAA.

If a BAA is completed, the platform is set up and used properly, SharePoint can be thought of as HIPAA compliant document management, document storage, and collaborative service.