Healthcare organizations are, like many others, in the middle of digital transformation. A new generation of tools and tech promise all sorts of real benefits, from increased efficiency to fewer errors to better data-driven decision-making.
But getting from wherever you are right now in terms of your organization’s relationship with technology to wherever it is you want to go? It’s a complicated process, and there are plenty of places where organizations can get off track.
In some cases, this just means not getting as much efficiency or ROI as possible from a digital transition. That’s highly unfortunate but isn’t necessarily an existential threat. In other cases, though, there’s much more at stake. Transitioning to the wrong system or tool — or using a good tool in the wrong way — can lead to regulatory violations, including HIPAA violations. And that’s something no medical organization wants to face.
Within this context of digital innovation and regulatory concerns, many healthcare organizations have questions about specific tools and platforms. Microsoft 365 is a wide-ranging suite of tools that offers plenty to healthcare organizations, and many are already using it or are transitioning to it soon.
One pressing question is whether the cloud-based productivity suite is truly HIPAA compliant. Many organizations are asking, is SharePoint HIPAA compliant? What about the broader Microsoft 365 package?
Organizations may already be using these tools for general operations, but is it possible to move electronic health records and other material with personally identifying information (PII) to SharePoint or edit those documents in Microsoft 365?
The answer is, unfortunately, a little complicated. Microsoft isn’t totally clear on whether these products are compliant, and of course they can’t account for user behavior in every instance, either.
So, while it is possible to use Microsoft 365 and SharePoint in HIPAA-compliant ways, it isn’t automatic. Healthcare organizations need technical safeguards in place. That’s something we can take care of for you — but more on that later.
Let’s start with some FAQs you need to know before you make this transition.
Is Microsoft 365 HIPAA compliant?
This is an important question, but it might not be the right question to ask. It’s a little bit like looking at a car and asking whether the car is “speed limit compliant” — unless you’re actually asking whether a car has been somehow programmed to never be capable of exceeding the speed limit, then there’s no such thing as a “speed limit compliant” car. Whether the car operates at the speed limit is entirely up to the driver.
Now, that’s not to say you shouldn’t ever ask questions about the quality of a car — or the quality of a software platform. A shoddily made car might have an accelerator that sticks, creating significant and unnecessary risk. And shoddily made software or digital services could do the same thing with sensitive medical data.
Microsoft 365 is well-made software, to be sure. But it’s nearly as unrealistic to expect Microsoft to be able to stop any and all instances of data misuse as it would be to expect car manufacturers to “lock” cars to the speed limit. The same rules and filters that might prevent a HIPAA violation in a healthcare setting would interfere with normal, ethical use cases in other industries.
Given all this, it’s no surprise that Microsoft isn’t totally clear on whether its products are HIPAA compliant. Can they be used in HIPAA-compliant ways? Yes. But can Microsoft guarantee them as HIPAA compliant? Not without outside help.
This is another common question, but again it’s a little like asking “does this car drive the speed limit?”: it’s not exactly the right question, and it’s more about how you use it.
Some organizations want to use SharePoint exclusively for sharing EHR and other files and documents that may contain personally identifying information (PII). So we understand why this leads to the question about whether SharePoint is HIPAA compliant.
The answer is that it certainly can be used in HIPAA compliant ways. But no, the system isn’t designed to somehow prevent users from violating HIPAA — just like your car isn’t designed to prevent you from speeding.
With both products, organizations need specific technical safeguards in place if they want to remain HIPAA compliant. But to get into those safeguards, we need to look closer at aspects of HIPAA itself and compliance with it.
What are the core compliance areas to be HIPAA compliant?
HIPAA compliance breaks down into three core compliance areas:
- Technical compliance
- Administrative compliance
- Physical compliance
Technical compliance deals with the technological systems that interface with patient data that qualifies as PII. Access control, data integrity, authentication of users, and secure transmission of files all fall under this category.
Administrative compliance refers to the policies and procedures that organizations put in place to protect data and data access. Hospital policies about what can and can’t be shared verbally in public areas, rules about passwords and authentication, and any other administrative decisions touching on privacy fall into this category.
Physical compliance deals with the real world: are physical records kept in a location not accessible to the general public? Are on-premises servers and endpoints secure, either by physical barrier (such as a locked server room) or by high-quality access control (badges, passwords, biometrics, etc. for computer access)?
As we look at the question of using Microsoft 365 and SharePoint in a medical setting, all three compliance areas matter. The technical underpinnings of Microsoft 365 come into play, as do the administrative policies an organization sets up around the use of SharePoint. Physical compliance matters as well, though this has less to do with which software or platforms you’re using and more to do with how you physically set up your equipment.
What are the technical safeguards of HIPAA?
HIPAA rules require that organizations maintain “reasonable and appropriate” safeguards in all three of the major compliance areas. Generally, safeguards are reasonable and appropriate if they protect EHR from “reasonably anticipated” threats or disclosures, but HIPAA does not specify or define what these safeguards must look like.
On the technical side, HIPAA describes three types of technical safeguards:
- Access control
- Safeguards on data in motion
- Safeguards on data at rest
Access control is straightforward enough in concept: only those who have been granted access should be able to access data. So a completely open cloud workspace (like a simple Google Workspace) clearly fails this, while a legacy rights-managed folder-based network generally has the appropriate technical safeguards.
Microsoft 365 and SharePoint can certainly be set up as environments using appropriate access control. So on this point, the products are reasonably HIPAA-compliant.
Data in motion
Data in motion (and data in use) can be harder to protect (or at least to prove protection of). These terms describe when data is in transit between systems or it is actively being used by a system (or human operator).
Typical safeguards on data in motion include data encryption, access control (on systems and on specific data), and using metadata or anonymized data for research and analytics rather than raw data.
Data at rest
Data at rest is data that’s sitting on a server somewhere — either your on-premises server or a cloud server belonging to a provider like Microsoft. This data isn’t being used, but your organization needs to maintain it in case it’s needed later on.
Data at rest safeguards include encryption and access control once again. Physical access control usually comes into play here as well: an unguarded server in an unlocked room may be a HIPAA violation if it gets breached. The argument could be made that the organization didn’t implement “reasonable and appropriate” safeguards — in this case, locks and access control.
How does an IT provider assist in technical HIPAA compliance?
By now it’s likely clear that using Microsoft 365 or SharePoint while staying compliant requires some technical considerations. That’s where an IT provider like Data Magic comes into play.
At Data Magic, we assist healthcare clients with designing and implementing the technical safeguards required and recommended by HIPAA regulations. We design environments where healthcare professionals and support staff can simply do what they need to do, not spend their time worrying about all facets of their technology being compliant.
A quality IT provider assists in this way by providing the cybersecurity layers, risk assessments, and ongoing auditing to make sure clients are covered and remain HIPAA compliant.
Is a BAA needed with Microsoft?
HIPAA regulations stipulate that healthcare organizations must enter into a business associate agreement (BAA) with any business associate that has access to protected health information (PHI). Microsoft states that it “will enter into BAAs with its covered entity and business associate customers,” but the company is quick to point out that the BAA alone does not ensure compliance with HIPAA or HITECH.
Microsoft goes on to state explicitly that your company’s compliance program and internal processes are the key to HIPAA compliance and that “your particular use of Microsoft services aligns with your obligations under HIPAA.”
BAA isn’t automatic, either. If you need a BAA with Microsoft, you’ll need to reach out directly (or through your IT provider).
By now we hope we’ve showed you that, while it’s possible to use Microsoft 365 and SharePoint in HIPAA-compliant ways, the burden lies on your organization to ensure that you’re in compliance while using the products. And that can get complex in a hurry.
Data Magic is an IT and cybersecurity organization that specializes in creating the technical safeguards and policies needed to achieve HIPAA compliance — with Microsoft 365, SharePoint, and a wide range of other apps and services.
If you’re ready to step into a cloud-forward future — without worrying about compliance — reach out today. We can help you move from where you are to where you want to be.