Yes, Sharepoint is HIPAA compliant. This service uses both technical and administrative protections to comply with HIPAA regulations. Also, Microsoft will sign a Business Associate Agreement (BAA).
Sharepoint provides necessary administrative and technical features to meet HIPAA compliance. Some of these features include access control for users, audit control, logs, and encryption. Threat awareness resources make it easy to access real-time reports about information access and usage.
Sharepoint is a Microsoft service. The Microsoft website states that Sharepoint online is HIPAA compliant when paired with Office 365 Enterprise. While Microsoft ensures it meets its responsibilities as a business associate, users are responsible for configuring the platform correctly.
A variety of security add-ons are included for Office 365 Enterprise users, such as advanced threat protection, security management, advanced compliance, and threat intelligence. Licensing includes anti-malware, Windows Defender, Cloud App Security (CAS), Azure AD Identity Protection, Azure Security Center, Azure Advanced Threat Protection, and more.
If you are a HIPAA covered entity, then you must follow HIPAA regulations. For example, you must control how data is shared, used, published, and updated. Always classify sensitive data to ensure monitoring, protection, and appropriate access controls for storage and information transit.
Microsoft is willing to sign a Business Associate Agreement (BAA) for organizations that use Sharepoint for patient health information. This BAA is for Office 365 Enterprise, which also covers Sharepoint Online. Without this signed BAA, HIPAA-covered entities shouldn’t use this platform for protected health information.
If you configure and use Sharepoint correctly and obtain a BAA, then this service can be a HIPAA-compliant solution for information storage, management, and collaboration.