Is SharePoint HIPAA Compliant?

By | January 10, 2020

Is SharePoint HIPAA Compliant?

SharePoint’s collaboration features make it one of the most used platforms for fortune 500 companies, with 78% using the web-based document management and storage system. As a Microsoft product, SharePoint integrates easily with Microsoft Office. The powerful platform is particularly appealing for healthcare organizations as SharePoint can establish a base for a CRM system. However before healthcare organizations can adopt its use they must ensure that there are adequate safeguards in place to secure protected health information (PHI). Therefore the question becomes is SharePoint HIPAA compliant?

SharePoint and Business Associate Agreements

Before working with a vendor organizations that work in healthcare must secure a business associate agreement (BAA). A BAA is a contract that states that both parties will adhere to HIPAA standards, and each party is responsible for their own compliance. A BAA limits the liability for both parties in the event of a breach as it lays out the responsibilities for parties. 

As such, organizations wishing to use SharePoint must sign a business associate agreement with Microsoft before they are permitted to use SharePoint in conjunction with PHI. Large corporations usually have a standard BAA that organizations may use. Microsoft’s BAA for Office 365 covers SharePoint when organizations use it along with Office 365 Enterprise. Click here to find out how to get your Microsoft BAA. 

Is SharePoint HIPAA Compliant?

SharePoint can be used in a HIPAA compliant manner, however, users must configure the platform correctly in order to use it for PHI. SharePoint has proper safeguards to protect sensitive information in accordance with HIPAA standards but it is up to healthcare organizations to ensure that these safeguards are configured properly.

The Health Insurance Portability and Accountability Act (HIPAA) mandates the following:


  • Access controls: determine whether or not an employee has access to certain information. Access to PHI should only be granted to those that need to view the information to fulfill their job requirements.
  • Audit controls: tracks and monitors who accesses what information and for how long. Audit controls ensure that if a system is accessed by an unauthorized individual, it will be detected quickly.
  • Security controls: ensures that PHI is properly safeguarded to prevent unauthorized access to the sensitive information.
  • Training: employee training is essential whenever new technology is implemented in an organization. Before employees use software, they must receive training on how it can be used in accordance with HIPAA standards

Whenever an organization working in healthcare is determining what technology they should use to streamline their business processes, it is important to determine if it is HIPAA compliant. If an organization would like to use SharePoint in a HIPAA compliant manner they must first sign a BAA and configure the software properly. 

Need Assistance with your HIPAA Compliance? 

Compliancy Group can help! Our cloud-based compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our expert Compliance Coaches™ will guide you through our six stage implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance.