SharePoint is a web document management and storage platform and one of the main collaborative platforms on the market, used by 78% of Fortune 500 firms. The platform is based on Microsoft’s OpenXML document standard and therefore links up seamlessly with Microsoft Office.
SharePoint provides many of the same functions as Google Drive and Dropbox, although SharePoint is a much more powerful service and can also be used for internet portals, intranet sites and can create the basis of a CRM system.
With such a wide variety of functions it is naturally a good fit for healthcare groups, but is SharePoint HIPAA compliant? Does the platform have all the required functions and security controls required by HIPAA?
The first thing to address when considering the suitability of a platform for use in healthcare in the United States is whether the platform supplier is willing to sign a business associate agreement with a HIPAA covered entity or a business associate. Without a completed BAA, a platform cannot be used along with any protected health information (PHI).
Microsoft is ready to complete a business associate agreement with HIPAA covered entities for Office 365 and Yammer, but what is the stance in relation to SharePoint?
Microsoft outright states on its official website that SharePoint Online supports HIPAA compliance when used with Office 365 Enterprise, and that its BAA for Office 365 Enterprise does include SharePoint Online.
Can we think of SharePoint as being HIPAA compliant? While no software platform can be be deemed outright HIPAA compliant, SharePoint does have all of the necessary administrative and technical features to meet HIPAA Rules and HIPAA covered entities can use the platform in a HIPAA compliant fashion.
Microsoft will also see to it that it meets its responsibilities as a business associate, but it is the responsibility of users to make sure that HIPAA Rules are followed and the platform is set up correctly. Covered entities must set management controls for individuals or roles, audit controls must be set, logs must be reviewed, proper security controls configured, and users must receive training on use of the platform and the limits of HIPAA.
Provided a BAA is obtained, the platform is set up and implemented properly correctly, SharePoint can be deemed as being HIPAA compliant document management, document storage, and collaborative platform.