Read time: 4 minutes

Summary: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 safeguards Americans’ medical records’ privacy and restricts unauthorized sharing. It comprises titles ensuring healthcare accessibility, fraud prevention, tax-related health provisions, group insurance guidelines, and tax deductions. Violations result in significant penalties. Microsoft’s SharePoint and Office 365 tools enable HIPAA compliance through a range of security measures and role-based access controls.

Online records pertaining to an individual contain sensitive information that should not be disclosed to third parties without the individual’s explicit consent. In order to safeguard the online medical records of American citizens, the US government implemented the Health Insurance Portability and Accountability Act (HIPAA) in 1996. This legislation unequivocally mandates healthcare providers, health insurance companies, and individual doctors to refrain from sharing patient information with any external entities or organizations without the patient’s consent. Violating this act carries legal consequences, reinforcing the necessity to uphold patient privacy and security.

There are several sections (called titles) in this act, covering all the security, sharing, and availability of medical details.

Title I– Healthcare accessibility, portability, and renewability
This comprehensive policy has a profound impact on healthcare plans, encompassing individuals, employees, and organizations alike. It provides a set of regulatory guidelines vital for sustaining the plan under diverse circumstances, outlining measures to ensure data protection and responsible sharing practices.

Title II – Prevention of health care fraud and abuse: medical liability reforms and simplification of data administration
The second title of the Health Insurance Portability and Accountability Act (HIPAA) delineates a range of offenses that warrant punishment. It systematically organizes rules aimed at establishing standards, policies, and procedures to maintain the privacy of medical information. These encompass privacy regulations, security protocols, and enforcement guidelines within this specific title.

Title III-A medical saving account for tax-related health provisions by the government
Employees covered under a high deductible plan by their employers have access to a medical savings account. This account is designated to allocate a specific amount per person for medical expenses.

Title IV – Group health insurance requirements and applicability
This title creates guidelines for applying for group health insurance plans based on the individual’s health history and other requirements.

Title V – Government tax deductions from employers
The final title provides the regulations for company-owned life insurance policies and similar products.

Numerous breaches of the Health Insurance Portability and Accountability Act (HIPAA) have led to significant civil and criminal penalties for those in violation. The US Department of Health and Human Services’ Office for Civil Rights reported over 91,000 violations during the period of 2003 to 2013, with 521 cases escalated to higher authorities due to their severity, categorizing them as criminal offenses.

When online medical records are stored within SharePoint lists or documents, Microsoft is obligated to adhere to HIPAA regulations. SharePoint offers HIPAA Compliance support, presenting a comprehensive whitepaper that outlines crucial details necessary to meet HIPAA compliance requirements and maintain a high standard of cybersecurity diligence.

There are so many controls that a medical organization can use to secure the records and avoid the chances of data breaches.

Office 365 Security & Compliance Center

By leveraging Office 365 business standard and premium plan tools, you can increase data security according to SharePoint Online HIPAA compliance, and there will be no accidental data leakage.

  • Compliance Administrator
    Here you can manage settings for device management, data protection, data loss prevention, and preservation.
  • Security Operator
    This feature sets security alerts, view reports, and other security features.
  • Reviewer
    It is a role group, and a member of the reviewer group has permission to manage the record contents.
  • Records management
    The members of this role group can manage as well as dispose of records.
  • Organization Management
    The members of this role group can manage Exchange objects and delegate management roles to other uses. This role group should not be deleted.
  • Supervisory Review
    It will control the policies and permissions for reviewing employees’ communications.
  • Security Administrator
    The security administrator can set policies for data retention, data loss, audit logs, and device management.
  • Security Reader
    It will give view-only access to alerts, device management, DLP, and security logs.
  • eDiscovery Manager
    It runs searches and places hold on mailboxes, SharePoint Online sites, and OneDrive for Business locations.
  • Service Assurance User
    Such users can access the Security & Compliance Center service assurance section. This role group lets the user review documents connected with security, privacy, and compliance in Office 365.
  • Mail flow administrator
    It accesses recipients in the Exchange Admin Center.
  • Data Investigator
    It performs searches on mailboxes, SharePoint Online site, and OneDrive for Business.


The Office 365 security and compliance center offers a range of features essential for maintaining SharePoint HIPAA compliance, facilitating robust protection of patient medical records. Employing these features allows you to establish controls within SharePoint Online, ensuring comprehensive data security. When contemplating a SharePoint migration to different accounts, paramount consideration is given to safeguarding data integrity and security in the new account. Utilizing the Kernel Migration for SharePoint streamlines the SharePoint Migration process, seamlessly transferring data while preserving settings, metadata, and role groups. This tool not only facilitates smooth data migration but also ensures that the data remains fully secure in the new SharePoint account.

Kernel Migration for SharePoint