Can I use SharePoint and be HIPAA compliant?

Lately we've been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. SharePoint by Microsoft is a web-based, collaborative platform that integrates with Microsoft Office. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

• Amazon CloudFront
• Apple iCloud
• Apple iMessage
• Box
• Citrix ShareFile
• DocuSign
• Dropbox
• FaceTime
• Google Calendar
• Google Docs
• Google Drive
• Google Forms
• Google Hangouts
• Google Slides
• Google Voice
• GoToMeeting
• Heroku
• Intercom
• Microsoft 365
• OneDrive
• Return Path
• SharePoint
• Slack
• Sonic
• WhatsApp
• WordPress
• Yammer
• Zoho
• Zoom

The purpose of this post is to determine if SharePoint offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About SharePoint

SharePoint is used by organizations to create websites. It can be used as a secure place to store, organize, share, and access information from any device. According to Microsoft, there are several versions of SharePoint.

They are:

• SharePoint Online
• SharePoint Server
• SharePoint Foundation
• SharePoint Designer 2013
• OneDrive for Business sync

Microsoft SharePoint and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy. We checked the Microsoft Trust Center and found a page called HIPAA and the HITECH Act. In it, Microsoft wisely points out: “Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.” Since SharePoint Online is bundled into Microsoft 365 for Enterprise, we found a pdf doc called Microsoft 365 Compliance Framework for Industry Standards and Regulations that offered deeper insight into SharePoint and its capabilities for HIPAA compliance. The document specifically states that SharePoint Online can be HIPAA compliant when used with Microsoft 365 for Enterprise.

Does Microsoft SharePoint Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. Since Microsoft offers one for use with SharePoint Online when used with Microsoft 365 for Enterprise, we conclude that particular version of SharePoint can be a HIPAA compliant service. Conclusion: SharePoint Online is covered within the Microsoft Business Associate Agreement when used with the Microsoft 365 for Enterprise license. Make sure you sign a BAA with Microsoft before using SharePoint to store or transmit any PHI.