Quick Guide on HIPAA Compliance with Sharepoint

Aftab Alam
Aftab Alam linkedin | Published On - September 14, 2022 |

Read time: 4 minutes

The online records of a person are classified details that are not meant to be shared with a third party without the consent of that person. To protect the online medical records of an American citizen, the US government enacted the HIPAA (Health Insurance Portability and Accountability Act – 1996) law, under which healthcare, health insurance companies, and individual doctors cannot disclose the patient’s details to any third person or organization. It requires consent from the patient, and there will be a legal penalty for any kind of violation of this act.

There are several sections (called titles) in this act, covering all the security, sharing, and availability of medical details.
Title I– Health care accessibility, portability, and renewability
It affects the health care plans for individuals, employees, and organizations. It gives several policy regulations to keep the plan alive in various situations and how the data should be protected and shared.

Title II – Prevention of health care fraud and abuse: medical liability reforms and simplification of data administration
The second title establishes various offenses that will be termed punishable acts under HIPAA. It categorizes several rules for creating standards, policies, and procedures for keeping medical details private. There are privacy rules, security roles, and enforcement rules under this title.

Title III-A medical saving account for tax-related health provisions by the government
There is a medical savings account for employees covered under a high deductible plan by their employers. It will set the amount per person in a medical saving account.

Title IV – Group health insurance requirements and applicability
This title creates guidelines for applying for group health insurance plans based on the individual’s health history and other requirements.

Title V – Government tax deductions from employers
The final title provides the regulations for company-owned life insurance policies and similar products.

There have been several violations of the HIPAA act, and there were too many Civil and Criminal penalties for the violators. US Department of Health & Human Services Office for Civil Rights has reported more than 91,000 violations between 2003-2013, and 521 out of them were reported for higher authorities to consider as criminal activities.

When online medical records are saved in SharePoint lists or documents, then Microsoft is bound to follow HIPAA regulations, and for Office 365 users, it has provided a detailed whitepaper showing all the essential information to satisfy HIPAA compliance and cybersecurity diligence.

There are so many controls that a medical organization can use to secure the records and avoid the chances of data breaches.

Office 365 Security & Compliance Center

By leveraging Office 365 business standard and premium plan tools, you can increase data security, and there will be no chance of accidental data leakage.

  • Compliance Administrator
    Here you can manage settings for device management, data protection, data loss prevention, and preservation.
  • Security Operator
    This feature sets security alerts, view reports, and other security features.
  • Reviewer
    It is a role group, and a member of the reviewer group has permission to manage the record contents.
  • Records management
    The members of this role group can manage as well as dispose of records.
  • Organization Management
    The members of this role group can manage Exchange objects and delegate management roles to other uses. This role group should not be deleted.
  • Supervisory Review
    It will control the policies and permissions for reviewing employees’ communications.
  • Security Administrator
    The security administrator can set policies for data retention, data loss, audit logs, and device management.
  • Security Reader
    It will give view-only access to alerts, device management, DLP, and security logs.
  • eDiscovery Manager
    It runs searches and places hold on mailboxes, SharePoint Online sites, and OneDrive for Business locations.
  • Service Assurance User
    Such users can access the service assurance section in the Security & Compliance Center. This role group lets the user review documents connected with security, privacy, and compliance in Office 365.
  • Mail flow administrator
    It accesses recipients in the Exchange Admin Center.
  • Data Investigator
    It performs searches on mailboxes, SharePoint Online site, and OneDrive for Business.


All these features in Office 365 security & compliance center help the business to keep it HIPAA compliant. By using these features, you can set the controls at SharePoint Online, and it will make sure that the medical records of a patient are protected completely.
When you want to migrate your data present in SharePoint sites to other SharePoint accounts, then your main consideration will be the security of data in the new account. To ease your SharePoint Migration, you must use the Kernel Migrator for SharePoint software. It will not only migrate the data but also retains settings, metadata, and role groups. The data will be fully protected in the new account too.

Kernel Migrator for SharePoint