Is Sharepoint HIPAA compliant?

Yes, SharePoint can be HIPAA compliant when used correctly, as Microsoft offers a Business Associate Agreement (BAA) and includes necessary security measures like encryption and access controls, but it is necessary for healthcare organizations to configure SharePoint settings properly and ensure that their usage complies with HIPAA requirements.

How does Sharepoint work?

Sharepoint manages and stores documents and allows different teams or individuals to collaborate and edit them via a web-based platform. Many companies use intranets that are built using Sharepoint and it allows for easy uploading and downloading of Microsoft Office documents such as Word, Powerpoint or Excel files.

Sharepoint can be used in a similar to fashion to cloud storage systems such as Google Drive or Dropbox but it offers a host of other functionalities that allow it to be used to build internet portals and it can even support basic systems to manage Customer Relations.

Given this extensive range of uses, it is no wonder that companies involved in healthcare would be interested in adding Sharepoint to their toolboxes, but unlike in other industries, these organizations must first ensure that Sharepoint is HIPAA compliant, or at least that it contains the necessary functionalities and settings to enable a HIPAA compliant Sharepoint environment to be created.

Sharepoint, Microsoft, and Business Associate Agreements

As with any other software or service, a fundamental step in ensuring HIPAA compliance is establishing a Business Associate Agreement (BAA) between the HIPAA covered entity and the service provider. This is a prerequisite before and protected health information (PHI) can be used with the system.

Microsoft will sign BAAs for many of their services, for example Office 365 and Yammer. In fact, the BAA which Microsoft enters into with HIPAA covered entities for Office 365 Enterprise actually already includes provisions covering the use of Sharepoint Online. This means that many organizations may already have a BAA in place to facilitate their use of Office 365 before even considering Sharepoint. This could greatly facilitate and accelerate the adoption of Sharepoint for use by HIPAA covered entities.

Is Sharepoint HIPAA compliant?

We have seen above that Sharepoint can be covered by a BAA but does this mean that it is HIPAA compliant? Among other important elements, Sharepoint includes settings that meet the requirements of various aspects of HIPAA such as certain administrative and technical features and protections.

This all means that Sharepoint can be used in a HIPAA compliant way. However, it is important to note that, even if it can be used correctly, this does not make it automatically compliant and it does not mean that HIPAA violations won’t occur as a result of Sharepoint being used.

It is the responsibility of companies to ensure that all settings are correctly configured so that relevant aspects of HIPAA are applied and respected. Features such as secure access, user authentication, audit functions, and usage monitoring must be in place. Central to HIPAA compliance and ultimately responsible for respecting the various aspects are the people who will use the platform. Users must be appropriately trained with refresher courses offered as needed. With the correct settings, a BAA, and trained users, Sharepoint can be used in compliance with HIPAA.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at