Is SharePoint HIPAA Compliant

SharePoint is a platform offered by Microsoft that was initially designed as a content management system and was made to be highly configurable. SharePoint syncs up PCs and mobile devices through its back-end system and allows employees within a network to share information in a streamlined fashion.

SharePoint is a powerful enterprise content management tool that provides multiple solutions for information management. Such problems include data loss, redundant processes consuming time, poor communication resulting in ineffective processes, low accountability, low quality and inconsistency in overall performance.

Learn more about SharePoint

HIPAA Overview

The US passed a healthcare law by the name Health Insurance Portability and Accountability Act which seeks to set out requirements for the usage, disclosure, and privacy for the health information of patients. Healthcare companies are the ones covered within this law’s ambit as they do have access to “protected health information,” (PHI), of the patients. The bill also has implications for business associates that work with the Healthcare system and do provide, for say, technological assistances like cloud services, insurance billing and so on. And so they would be likely to process patient information on behalf of the corresponding healthcare entity.

There four domains where the HIPAA has imposed its restrictions upon the usage and distribution of PHI. These domains are security, privacy, identifiers and electronic transmission of healthcare-transactions. HIPAA provides for patient confidentiality by mandating physical, administrative and technological security measures. The law also prohibits the release of certain types of information (which could be collected for research purposes). HIPPA also requires the healthcare companies to take effective measures for when they are transferring crucial data, like insurance claims, insurance eligibility and payments, through electronic transmission.

How Can Healthcare Companies Comply with HIPAA Regulations?

With the technological advancements, the healthcare industry is adapting to various business changes that are inclusive of the electronic conversion of medical records, information exchanges, and web-based portals for both the physicians and patients. These initiatives are regulated under the requirements of HIPAA which is aimed at providing privacy to patient information.

Now there has been a lot of improvement in how organizations implement medical record systems, but a lot of information is trapped in places that are not part of medical records. There are several healthcare providers that haven’t come to terms with the storing information in OneDrive, SharePoint, or SharePoint Online for fear of information breach and violation of HIPAA requirements. Electronic protected health information can exist outside the domain of medical record, so where should the healthcare organizations keep this information. This ePHI needs to be stored while maintaining compliance with the HIPAA and other such regulations such as HITECH.

SharePoint is being a used extensively for digital document management by the healthcare organization. SharePoint in and of itself does not have the ability to ensure its users’ compliance with HIPAA. It is entirely dependent upon the healthcare organizations to achieve and ensure HIPAA compliance when carrying out their business processes on SharePoint.  

Business Associates & Covered Entities

It is argued that HIPAA takes into its ambit the business associates of healthcare organizations (covered entities) as well, and Microsoft does sign that agreement to a BA, however, this doesn’t avert the chances of violation or the breach in protected health information. It just puts them at somewhat equal liability when such an incidence happens. A series of attacks on a healthcare organization, named Anthem, exposed the protected health information of approximately 80 million people. The information included their names, medical identification numbers, social security numbers, addresses employment information, etc. Anthem ended up paying $16 million in settlement to the Office for Civil Rights (OCR). There are several issues that catch attention in such settlements as per the HIPAA regulations. Two of the most observed ones are that the healthcare organizations involved have policies in place to prohibit the prerequisite actions that result in such breach of privacy and that there was an application server involved in the breach of the patient information.

Encryption

Healthcare organizations are usually in agreement with their business associates; however, that should not impede them for establishing and ensuring further protective measures of PHI. Most people get all hyped up about encryption as the one thing that could ensure privacy to patient health information. But encryption will only benefit where there is a tangible loss or theft of, say, a hard disk or tapes. Most breaches occur through a web application, so encryption would not help there. Because encryption is as hyped up as it can be, the healthcare organizations should know about the role that is played by both the implementations (such as database or storage level encryption) and integrated access controls. This combination could help in better threat protection. If there is encryption at an application level with an access control lost that could prohibit unauthorized access, then the breaches can be prevented and these implementations lie outside the purview of what SharePoint and Microsoft 365 are intended for.

Ensuring Technical Safeguards

Even after you get a Business Associate agreement from say a cloud service provider like Microsoft, you are not entirely in the clear unless you have the necessary technical controls. Some healthcare organizations, in the past, have had all the properly documented policies; however, they didn’t have the adequate implementations for those policies. Healthcare businesses should ensure proper implementations of technical safeguards or automated security controls to ensure compliance with HIPAA regulations.

Therefore, healthcare organizations, after getting their documents and business processes up on platforms like SharePoint, would still need to possess the information as to where their ePHI is located in SharePoint, SharePoint Online and OneDrive. After having this information, they should then find a way to encrypt the documents within SharePoint, ensure meaningful usage of those documents and monitor all and every access made to ePHI.

How does SharePoint stack against HIPAA?

No software platform can, on its own, live up to the requirements of HIPAA regulations. However, SharePoint has incorporated mandatory administrative and technical safeguards to comply with the said regulations. This will enable the HIPAA covered entities to operate their business processes in a manner that complies with HIPAA.

Microsoft has mentioned their Microsoft 365 product to be an online solution that enhanced productivity and ensures collaboration while safeguarding the data and complying with the industry regulations. However, it hasn’t mentioned all such details about SharePoint and SharePoint Online. It just proclaims that Microsoft is willing to sign a Business Associate Agreement with the Healthcare organizations and that this agreement will include SharePoint. However, the users are responsible for ensuring further compliance with the HIPAA regulations and that the SharePoint platform is configured properly. Compliance with the regulations is mandated by training the personnel who would be using it, setting access controls and audit controls and ensuring the adequate configuration of security controls.

After all these measures are ensured, SharePoint can be deemed as a HIPAA compliant platform that could be used for document management and collaboration.

***

At Infowise, we are serving as a strategic partner, assisting public and private enterprises in their digital transformation endeavors with our scalable, smart and futuristic tools, software and applications. Our product Infowise Ultimate Forms contains more than 15 standalone SharePoint applications developed to give you the power to innovate, automate and scale up your processes. Our products have been designed for optimum interoperability and seamless integration within SharePoint. Altogether, they constitute the structural foundation for digitization and facilitate your transition to digital transformation.

Click here to download Infowise Ultimate Forms 30-days free trial. Simple process. After you've installed Infowise UF, go ahead and create an unlimited number of Business Process Applications. Or even better, do you want to start with a ready template? Great, click here and download the ready-to-use template from our vast business process solution library, re-purpose to service your needs.