Is SharePoint HIPAA Compliant?

What is SharePoint

SharePoint is Microsoft’s cloud-based collaboration and document-management platform used by enterprises to store files, manage internal knowledge, automate workflows, and collaborate across teams. Because SharePoint integrates deeply with Microsoft 365 apps like OneDrive, Teams, Outlook, and Exchange, it quickly becomes a central repository for business-critical information; including PHI, PII, and other regulated data.

For healthcare, insurance, and benefits organizations, SharePoint often evolves into a storage layer for patient documents, claims records, onboarding files, vendor contracts, billing reports, and audit-related materials. This is where HIPAA risk grows; once PHI enters SharePoint, it must be protected under strict access controls, logging, and DLP monitoring to remain compliant.

However, while SharePoint can be configured to be HIPAA-aligned, it is not automatically compliant out of the box. Organizations must configure administrative safeguards, enable logging, apply proper permission models, restrict external sharing, and deploy DLP that can discover, classify, and protect PHI inside files, lists, pages, and synced OneDrive folders. This is exactly where a HIPAA-ready DLP platform like Strac becomes critical.

Is SharePoint HIPAA Compliant

In the healthcare industry, where patient confidentiality and data security are paramount, the Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient information. 

SharePoint is a web-based document management and storage platform owned by Microsoft. SharePoint integrates natively with Office and Microsoft 365 and is used by organizations to improve team collaboration, project management and other internal processes. 

As standard, SharePoint is not HIPAA compliant. 

To ensure the safe and compliant handling of Protected Health Information (PHI), healthcare organizations must ensure that SharePoint is configured specifically to comply with HIPAA standards. 

Will Microsoft Sign a BAA for SharePoint

To comply with HIPAA, business associates must have a Business Associate Agreement (BAA) in place with all organizations that are classified as HIPAA-covered entities.

Yes —Microsoft is willing to sign a BAA with healthcare organizations that covers the use of SharePoint. 

Microsoft’s BAA for Office 365 Enterprise and Microsoft 365 Enterprise covers the use of SharePoint. This means that SharePoint users must have an Office 365 Enterprise or Microsoft 365 Enterprise plan. 

The BAA outlines Microsoft's responsibility in managing and protecting PHI, and brings the use of SharePoint into compliance with HIPAA.

However, signing a BAA with Microsoft does not ensure compliance. Healthcare organizations must also ensure their use of SharePoint remains compliant, at all times. This involves configuring SharePoint’s security settings, including applying strict access controls and sharing permissions. Employees must also be trained on data security protocol and how to handle sensitive data in a compliant manner.

Can You Store PHI or Patient Data in SharePoint

Yes — it is possible to store Protected Health Information in SharePoint, but only when certain requirements are met.

Firstly, healthcare organizations planning on using SharePoint to handle and store PHI must have an Office 365 Enterprise or Microsoft 365 Enterprise plan and have signed a relevant BAA with Microsoft. 

Secondly, SharePoint settings must be configured in-line with HIPAA requirements. This includes enabling strict user access controls, activity monitoring functions, and conducting regular security assessments. 

Finally, healthcare organizations need to ensure their staff are trained on how to handle PHI and sensitive data, or risk non-compliance with HIPAA.

Improper handling of sensitive data and protected information within SharePoint can open your organization up to significant regulatory and litigation risks.

Can PHI or Patient Data be Leaked from SharePoint

Considering SharePoint’s popularity and the fact it is a cloud-based collaboration tool, without implementing additional security mechanisms, there will always be a risk of data leaks.

Although SharePoint has security features designed to protect against unauthorized access, data breaches, and other cyber risks, no system is completely invulnerable to leaks and external cyber threats. In fact, a company using SharePoint suffered a ransomware attack back in June 2023, where the attacker stole hundreds of files.

The potential for the leaking of sensitive data such as PHI will always exist. The Incorrect configuration of security settings can lead to unauthorized access, whilst user error can lead to an accidental leak. There is also the risk of malicious insider threats. 

As well as technical security protocol, your employees also play a crucial role in ensuring internal data security, especially when handling sensitive patient data.

This ever-present risk of data leaks sees many healthcare organizations adopt additional security mechanisms that not only ensure compliance, but effectively safeguard PHI against breaches and leaks.

Common HIPAA Violations That Happen in SharePoint

HIPAA violations in SharePoint typically occur not because the platform is insecure, but because users store, share, or access PHI without proper controls, visibility, or monitoring. These risks increase as organizations scale and more employees use SharePoint as a default file hub.

Here are the most frequent HIPAA violations seen inside SharePoint environments:

1. Storing PHI in unrestricted or public SharePoint folders

Employees often upload medical documents, ID scans, claims forms, lab results, or intake files into shared folders that lack restricted permissions. If “Everyone,” “All Employees,” or external users have access, this becomes an immediate HIPAA violation. This commonly happens when users sync SharePoint with OneDrive and unintentionally expose folders to broad groups.

2. External sharing of PHI (intentional or accidental)

SharePoint allows file and folder sharing via links; but without strict configuration, links may be set to “Anyone with the link.” This allows PHI to be accessed by unauthorized parties. Many HIPAA breaches stem from an employee sending a patient-related Excel file or PDF to a vendor without proper access control.

3. Lack of audit logging or insufficient monitoring of PHI access

HIPAA requires full audit trails for who accessed, modified, or downloaded PHI. SharePoint provides logs, but organizations often fail to enable advanced auditing, retention, or alerting. This results in blind spots when investigating potential breaches.

4. PHI exposure inside document versions and autosaved files

SharePoint preserves version history, which means older versions containing PHI may remain accessible even if redacted later. Without DLP scanning and version-level detection, sensitive information remains exposed.

5. Files containing PHI uploaded without encryption or classification

Employees often upload documents generated from EMR, patient portals, or intake systems without marking them as sensitive. Unclassified files bypass controls, get shared broadly, or remain unmonitored.

6. Inadequate control over synced devices (OneDrive + local sync)

When SharePoint syncs to local devices, PHI stored in SharePoint can quietly propagate to laptops — including unmanaged or BYOD endpoints. Lost or unencrypted devices containing synced PHI create HIPAA liability.

How Strac Prevents HIPAA Violations in SharePoint

Strac provides real-time, automated protection that identifies and remediates PHI across SharePoint, OneDrive, and the broader Microsoft 365 ecosystem. With ML-based classification; OCR; inline redaction; policy-based blocking; and continuous scanning, Strac ensures PHI is never exposed through risky folders, misconfigured sharing, document versions, or synced devices.

Strac’s agentless DSPM + DLP also provides complete HIPAA-grade audit trails, posture analysis, risk scoring, and automated detection of PHI buried inside PDFs, scans, spreadsheets, and uploaded healthcare records.

How Can Strac Prevent Data Leaks from SharePoint

Strac SharePoint DLP is a comprehensive data leak prevention tool that adds an additional layer of security to SharePoint. 

SharePoint DLP ensures your use of SharePoint remains compliant through comprehensive real-time monitoring, automated data categorization, advanced redaction, intelligent alerts, and streamlined compliance management. 

All of this is delivered through a user-friendly interface tailored for organizational needs:

• Regulatory Compliance: Strac's DLP solutions ensure adherence to compliance standards such as PCI, SOC 2, HIPAA, ISO-27001, CCPA, GDPR, and NIST.
• Instantaneous Email Redactions: Leverage real-time interventions by Strac's DLP, identifying and mitigating SharePoint data vulnerabilities as they arise.
• Comprehensive Audit Overviews: Document every SharePoint operation in detail. Strac simplifies audit logs for clear and accountable oversight.
• Effortless Integration: Incorporate Strac with SharePoint effortlessly, for consistent and fortified data safeguarding.
• Specialized Protection Across the Board: DLP solutions tailored for your distinct SharePoint environment, enhancing your data security profile.
• AI Integration: Beyond standard SaaS, Cloud, and Endpoint protections, Strac seamlessly works with LLM APIs and AI platforms such as ChatGPT, Google Bard, and Microsoft Copilot, enhancing the security of AI or LLM applications and the data they process. Learn more through Strac's developer documentation.
• Pioneering Data Security Intel: Stay abreast with Strac’s avant-garde insights on emerging data threats and potential weak points within SharePoint.
• Detailed Control & Configuration: Customize your SharePoint safety protocols to your preferences. See Strac’s full catalog of sensitive data elements.
• API Capabilities: Strac empowers developers with APIs for the detection and redaction of sensitive information. Access Strac’s API Docs.

To learn more about how Strac adds an extra layer of security and helps organizations comply with HIPAA regulations, see our guide to HIPAA Compliance.

Book a free 30-minute demo for more.

🌶️Spicy FAQs on Is SharePoint HIPAA Compliant

Does Microsoft sign a BAA for SharePoint?

Yes; Microsoft will sign a Business Associate Agreement (BAA) for SharePoint, but only when the organization is using Microsoft 365 plans that include HIPAA-eligible services. Once the BAA is signed, Microsoft contractually commits to handling PHI in accordance with HIPAA requirements. However, the BAA does not make your SharePoint environment automatically HIPAA-compliant; it only covers Microsoft’s responsibilities as the cloud provider. You are still responsible for configuring access controls, auditing, DLP, sharing policies, and monitoring.

Is SharePoint secure enough for PHI storage?

SharePoint can be secure enough for PHI storage when correctly configured. It includes strong encryption, access permissions, auditing capabilities, and integration with Microsoft Purview. But the default configuration is not sufficient for HIPAA-grade protection. Real HIPAA compliance requires strict sharing controls; continuous auditing; PHI classification; least-privilege access; and monitoring for files, pages, lists, and synced devices. Without these controls; PHI in SharePoint can still leak through public links, misconfigured folders, or synced endpoints.

How do I make SharePoint HIPAA-compliant?

You can make SharePoint HIPAA-compliant by enabling security controls; restricting PHI access; and layering monitoring on top of Microsoft’s native protections. Organizations typically follow these steps:

• Sign Microsoft’s BAA and verify that your licensing covers HIPAA-eligible services.
• Lock down sharing settings, removing “Anyone with the link” access and restricting external sharing.
• Implement least-privilege permissions for libraries, sites, and folders that contain PHI.
• Enable audit logs and retention policies to maintain full visibility into PHI access and modifications.
• Classify and label PHI automatically so sensitive files cannot be shared or downloaded without controls.
• Deploy a HIPAA-ready DLP platform like Strac to detect PHI inside files, pages, version history, and synced devices.

Once these safeguards are in place, SharePoint can be used as a compliant PHI repository.

Do I need DLP if I already use SharePoint for HIPAA?

Yes; DLP is still required even if SharePoint is configured for HIPAA. SharePoint’s built-in controls do not automatically detect PHI inside uploaded files, scans, PDFs, spreadsheets, or synced OneDrive folders. They also do not remediate sensitive content in real time. A HIPAA-grade DLP solution provides:

• Automated PHI discovery across SharePoint sites, libraries, folders, and version history.
• ML/OCR detection that identifies PHI in unstructured documents, scanned forms, and attachments.
• Inline remediation such as redaction, masking, blocking, or quarantining.
• Continuous compliance monitoring with alerts for misconfigured access, oversharing, or risky downloads.

Without DLP, organizations cannot reliably prevent PHI leakage or maintain the visibility HIPAA requires.