Quick Guide on HIPAA Compliance with Sharepoint

Read time: 4 minutes

Online records pertaining to an individual contain sensitive information that should not be disclosed to third parties without the individual’s explicit consent. In order to safeguard the online medical records of American citizens, the US government implemented the Health Insurance Portability and Accountability Act (HIPAA) in 1996. This legislation unequivocally mandates healthcare providers, health insurance companies, and individual doctors to refrain from sharing patient information with any external entities or organizations without the patient’s consent. Violating this act carries legal consequences, reinforcing the necessity to uphold patient privacy and security.

There are several sections (called titles) in this act, covering all the security, sharing, and availability of medical details.

Title I– Healthcare accessibility, portability, and renewability
This comprehensive policy has a profound impact on healthcare plans, encompassing individuals, employees, and organizations alike. It provides a set of regulatory guidelines vital for sustaining the plan under diverse circumstances, outlining measures to ensure data protection and responsible sharing practices.

Title II – Prevention of health care fraud and abuse: medical liability reforms and simplification of data administration
The second title of the Health Insurance Portability and Accountability Act (HIPAA) delineates a range of offenses that warrant punishment. It systematically organizes rules aimed at establishing standards, policies, and procedures to maintain the privacy of medical information. These encompass privacy regulations, security protocols, and enforcement guidelines within this specific title.

Title III-A medical saving account for tax-related health provisions by the government
Employees covered under a high deductible plan by their employers have access to a medical savings account. This account is designated to allocate a specific amount per person for medical expenses.

Title IV – Group health insurance requirements and applicability
This title creates guidelines for applying for group health insurance plans based on the individual’s health history and other requirements.

Title V – Government tax deductions from employers
The final title provides the regulations for company-owned life insurance policies and similar products.

Numerous breaches of the Health Insurance Portability and Accountability Act (HIPAA) have led to significant civil and criminal penalties for those in violation. The US Department of Health and Human Services’ Office for Civil Rights reported over 91,000 violations during the period of 2003 to 2013, with 521 cases escalated to higher authorities due to their severity, categorizing them as criminal offenses.

When online medical records are stored within SharePoint lists or documents, Microsoft is obligated to adhere to HIPAA regulations. SharePoint offers HIPAA Compliance support, presenting a comprehensive whitepaper that outlines crucial details necessary to meet HIPAA compliance requirements and maintain a high standard of cybersecurity diligence.

There are so many controls that a medical organization can use to secure the records and avoid the chances of data breaches.

Office 365 Security & Compliance Center

By leveraging Office 365 business standard and premium plan tools, you can increase data security according to SharePoint Online HIPAA compliance, and there will be no accidental data leakage.

• Compliance Administrator
  Here you can manage settings for device management, data protection, data loss prevention, and preservation.
• Security Operator
  This feature sets security alerts, view reports, and other security features.
• Reviewer
  It is a role group, and a member of the reviewer group has permission to manage the record contents.
• Records management
  The members of this role group can manage as well as dispose of records.
• Organization Management
  The members of this role group can manage Exchange objects and delegate management roles to other uses. This role group should not be deleted.
• Supervisory Review
  It will control the policies and permissions for reviewing employees’ communications.
• Security Administrator
  The security administrator can set policies for data retention, data loss, audit logs, and device management.
• Security Reader
  It will give view-only access to alerts, device management, DLP, and security logs.
• eDiscovery Manager
  It runs searches and places hold on mailboxes, SharePoint Online sites, and OneDrive for Business locations.
• Service Assurance User
  Such users can access the Security & Compliance Center service assurance section. This role group lets the user review documents connected with security, privacy, and compliance in Office 365.
• Mail flow administrator
  It accesses recipients in the Exchange Admin Center.
• Data Investigator
  It performs searches on mailboxes, SharePoint Online site, and OneDrive for Business.

Conclusion

The Office 365 security and compliance center offers a range of features essential for maintaining SharePoint HIPAA compliance, facilitating robust protection of patient medical records. Employing these features allows you to establish controls within SharePoint Online, ensuring comprehensive data security. When contemplating a SharePoint migration to different accounts, paramount consideration is given to safeguarding data integrity and security in the new account. Utilizing the Kernel Migration for SharePoint streamlines the SharePoint Migration process, seamlessly transferring data while preserving settings, metadata, and role groups. This tool not only facilitates smooth data migration but also ensures that the data remains fully secure in the new SharePoint account.