Is Sharepoint HIPAA compliant?

Sharepoint is a software from Microsoft that is commonly used in enterprises in many industries, but some have asked whether it can be used by organizations in the healthcare space and whether it is compliant with the Health Insurance Portability and Accountability Act, which is more commonly known as HIPAA.

How does Sharepoint work?

Sharepoint manages and stores documents and allows different teams or individuals to collaborate and edit them via a web-based platform. Many companies use intranets that are built using Sharepoint and it allows for easy uploading and downloading of Microsoft Office documents such as Word, Powerpoint or Excel files.

Sharepoint can be used in a similar to fashion to cloud storage systems such as Google Drive or Dropbox but it offers a host of other functionalities that allow it to be used to build internet portals and it can even support basic systems to manage Customer Relations.

Given this extensive range of uses, it is no wonder that companies involved in healthcare would be interested in adding Sharepoint to their toolboxes, but unlike in other industries, these organizations must first ensure that Sharepoint is HIPAA compliant, or at least that it contains the necessary functionalities and settings to enable a HIPAA compliant Sharepoint environment to be created.

Sharepoint, Microsoft, and Business Associate Agreements

As with any other software or service, a fundamental step in ensuring HIPAA compliance is establishing a Business Associate Agreement (BAA) between the HIPAA covered entity and the service provider. This is a prerequisite before and protected health information (PHI) can be used with the system.

Microsoft will sign BAAs for many of their services, for example Office 365 and Yammer. In fact, the BAA which Microsoft enters into with HIPAA covered entities for Office 365 Enterprise actually already includes provisions covering the use of Sharepoint Online. This means that many organizations may already have a BAA in place to facilitate their use of Office 365 before even considering Sharepoint. This could greatly facilitate and accelerate the adoption of Sharepoint for use by HIPAA covered entities.

Is Sharepoint HIPAA compliant?

We have seen above that Sharepoint can be covered by a BAA but does this mean that it is HIPAA compliant? Among other important elements, Sharepoint includes settings that meet the requirements of various aspects of HIPAA such as certain administrative and technical features and protections.

This all means that Sharepoint can be used in a HIPAA compliant way. However, it is extremely important to note that, even if it can be used correctly, this does not make it automatically compliant and it does not mean that HIPAA violations won’t occur as a result of Sharepoint being used.

It is the responsibility of companies to ensure that all settings are correctly configured so that relevant aspects of HIPAA are applied and respected. Features such as secure access, user authentication, audit functions, and usage monitoring must be in place. Central to HIPAA compliance and ultimately responsible for respecting the various aspects are the people who will use the platform. Users must be appropriately trained with refresher courses offered as needed. With the correct settings, a BAA, and trained users, Sharepoint can be used in compliance with HIPAA.