HIPAA Compliant Microsoft 365: Complete Configuration Guide

Introduction: The HIPAA-Microsoft 365 Compliance Gap

Healthcare organizations face a critical paradox: they need modern collaboration tools to improve patient care, clinical efficiency, and administrative productivity, but every deployment decision carries the weight of HIPAA compliance. Microsoft 365 is the dominant productivity platform in healthcare, used by over 80% of health systems for email, document management, and collaboration. Yet the majority of these deployments have significant compliance gaps that would not survive a rigorous HIPAA audit.

After configuring HIPAA-compliant Microsoft 365 environments for 30+ healthcare organizations including hospital systems, health insurance providers, pharmaceutical companies, and medical device manufacturers, I have identified a consistent set of compliance gaps that put organizations at risk. This guide provides the exact configuration steps needed to close those gaps and build a defensible compliance posture.

Step 1: Execute the Business Associate Agreement (BAA)

The BAA is the foundational legal document that establishes Microsoft as a business associate under HIPAA. Without a BAA, your organization cannot legally store, process, or transmit PHI through any Microsoft 365 service, regardless of how well configured your environment is.

BAA Execution Process

• Access the BAA: Navigate to Microsoft 365 Admin Center, then Compliance, then select "HIPAA/HITECH" under regulatory compliance. Accept the Microsoft Online Services Data Protection Addendum
• Covered services: The BAA covers Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Microsoft 365 Apps (Word, Excel, PowerPoint), Power BI, Azure Active Directory (Entra ID), and Microsoft Intune
• Excluded services: Consumer-grade features (Sway consumer, Yammer consumer features), third-party marketplace apps, and preview/beta features are NOT covered. Document these exclusions and block their use for PHI
• Documentation: Save a copy of the executed BAA, document the date of execution, and maintain records for the life of the agreement plus 6 years

Step 2: Configure Sensitivity Labels for PHI Classification

Sensitivity labels are the cornerstone of HIPAA-compliant data protection in Microsoft 365. They apply persistent classification and protection to documents and emails, ensuring PHI is identified, protected, and tracked throughout its lifecycle. EPC Group implements a healthcare-specific label taxonomy through our data governance consulting practice.

Recommended Healthcare Label Taxonomy

• Public: Content approved for public distribution (patient education materials, public health information). No encryption or restrictions
• Internal - General: Business content for all employees without PHI. Standard organizational access controls
• Confidential - Business: Sensitive business data (financial reports, HR documents, strategic plans). Restricted sharing, no external access
• Confidential - PHI: Documents containing Protected Health Information. Encryption required, DLP enforced, external sharing blocked, watermarking applied, access logged. This is the primary label for clinical documents, patient records, and care coordination materials
• Highly Confidential - PHI Restricted: Most sensitive PHI (psychiatric notes, substance abuse records, HIV/AIDS status, genetic information). Enhanced encryption, restricted to named individuals only, no forwarding/copying/printing, comprehensive audit trail. Aligns with 42 CFR Part 2 protections

Auto-Labeling Configuration

Manual labeling relies on user compliance, which is inherently unreliable. Microsoft Purview auto-labeling automatically applies sensitivity labels to documents and emails based on content patterns. For healthcare organizations, configure auto-labeling to detect:

• Medical Record Numbers (MRN): Custom regex patterns matching your organization's MRN format
• ICD-10/CPT codes: Diagnosis and procedure codes indicating clinical content
• Patient identifiers: Combinations of name + DOB + SSN patterns
• Drug/prescription data: Patterns indicating medication information with patient identifiers
• Clinical terminology: Custom keyword dictionaries with medical terms commonly found in PHI documents

Step 3: Implement Data Loss Prevention (DLP) Policies

DLP policies are your automated enforcement mechanism for preventing PHI leakage. They scan content across Exchange Online, SharePoint Online, OneDrive, Teams, and Power BI, detecting sensitive data patterns and applying protective actions (block, notify, encrypt, or log).

Healthcare DLP Policy Configuration

• Policy 1 - External PHI Sharing Prevention: Block sharing of content containing PHI patterns (SSN, MRN, diagnosis codes) with external recipients across email, SharePoint, OneDrive, and Teams. Override allowed with business justification and manager approval
• Policy 2 - Unencrypted PHI Email: Detect PHI in email body and attachments. Auto-encrypt with Microsoft Purview Message Encryption. Notify sender of encryption application
• Policy 3 - PHI in Teams Chat: Scan Teams messages for PHI patterns. Block messages containing PHI sent to channels without the "Confidential - PHI" label. Log all detections for compliance review
• Policy 4 - Bulk PHI Transfer: Detect large-volume PHI transfers (10+ patient records) via email attachments or SharePoint uploads. Block and require IT security review before proceeding
• Policy 5 - PHI in Power BI: Detect PHI patterns in Power BI datasets and reports. Require sensitivity label application. Block export of unlabeled PHI data. Configure through our Power BI consulting team

Step 4: Configure Retention Policies

HIPAA requires covered entities to retain medical records and PHI for a minimum of 6 years from the date of creation or last effective date, whichever is later. State laws may require longer retention periods (some states mandate 10+ years). Microsoft Purview retention policies automate this requirement across all Microsoft 365 services.

Retention Policy Configuration

• PHI Content: Retain for 7 years minimum (6 years HIPAA + 1 year buffer). Apply to content with "Confidential - PHI" and "Highly Confidential - PHI Restricted" sensitivity labels
• Email Communications: Retain all email for 7 years. Apply retention labels to Exchange Online for all mailboxes handling PHI
• Teams Messages: Retain Teams channel and chat messages for 7 years. Configure retention for Teams private channels and shared channels separately
• SharePoint/OneDrive: Retain all documents in clinical SharePoint sites for 7 years. Configure document deletion prevention during retention period
• Audit Logs: Retain unified audit logs for 10 years (available with E5 licensing). Critical for breach investigation and compliance verification

Step 5: Email Encryption and Secure Communication

HIPAA requires encryption for PHI transmitted electronically. Microsoft 365 provides multiple encryption options, and the right choice depends on your communication patterns and recipient capabilities.

• Microsoft Purview Message Encryption (OME): Encrypts email messages and attachments. Recipients outside your organization access encrypted messages through a web portal or one-time passcode. Best for ad-hoc secure communication with external parties
• S/MIME: Certificate-based encryption for point-to-point secure communication. Best for regular secure communication between specific partners (labs, referral providers)
• TLS enforcement: Configure connectors requiring TLS 1.2 for email transmission to partner organizations. Reject connections that cannot negotiate TLS 1.2 or higher
• Sensitivity label encryption: Documents labeled "Confidential - PHI" are automatically encrypted with Azure Rights Management. Encryption persists regardless of where the document is stored or shared

Step 6: Access Controls and Conditional Access

HIPAA's minimum necessary standard requires that access to PHI be limited to the minimum necessary for the intended purpose. Microsoft Entra ID Conditional Access policies enforce this requirement at the access layer.

Required Conditional Access Policies

• MFA for all users: Require multi-factor authentication for all Microsoft 365 access. No exceptions for executives, IT admins, or clinical users
• Managed device requirement: Require Microsoft Intune-enrolled, compliant devices for accessing PHI-containing SharePoint sites and Teams channels
• Location-based access: Block access from non-approved geographic locations. Allow access only from organization facilities and approved remote work locations
• Session controls: Implement session timeout for PHI applications (15-minute idle timeout for clinical applications, 30-minute for administrative). Enforce re-authentication after timeout
• App protection policies: On mobile devices, require Intune App Protection Policies preventing copy/paste of PHI to unmanaged applications, requiring PIN/biometric for app access, and enabling remote wipe capability
• Risk-based access: Block or require additional verification for sign-ins flagged as risky by Microsoft Entra ID Protection (unfamiliar locations, impossible travel, compromised credentials)

Our Microsoft 365 consulting team implements these Conditional Access policies as part of a comprehensive HIPAA compliance engagement, balancing security with clinical workflow usability.

Step 7: Audit Logging and Monitoring

HIPAA requires audit controls that record and examine activity in information systems containing PHI. Microsoft 365's unified audit log provides comprehensive activity tracking, but it must be properly configured and monitored.

• Enable unified audit log: Verify audit logging is enabled in the Microsoft Purview compliance portal. Log retention: 10 years with E5 (vs 90 days default)
• Configure alert policies: Create alerts for: large volume file downloads from PHI sites, external sharing of PHI-labeled content, privilege escalation events, failed login attempts exceeding threshold, DLP policy violations
• Insider Risk Management: Enable Microsoft Purview Insider Risk Management to detect anomalous behavior patterns indicating potential PHI misuse (departing employee data access, unusual download patterns, access outside normal hours)
• Communication Compliance: Monitor Teams and email for inappropriate PHI disclosure, patient discussions in non-clinical channels, and compliance policy violations
• Regular audit review: Conduct weekly reviews of security alerts, monthly reviews of access patterns, and quarterly comprehensive compliance audits

Step 8: Microsoft Copilot Governance for Healthcare

Microsoft Copilot introduces powerful AI capabilities to healthcare environments, but without proper governance, it can amplify PHI exposure risks. As healthcare organizations adopt Copilot, the following safeguards are essential. For comprehensive Copilot deployment guidance, see our Copilot Enterprise Implementation Guide.

• Pre-deployment permissions audit: Audit ALL SharePoint sites containing PHI before enabling Copilot. Remediate oversharing to prevent Copilot from surfacing PHI to unauthorized users
• Sensitivity label enforcement: Ensure all PHI documents have appropriate sensitivity labels before Copilot enablement. Copilot respects label-based restrictions
• Information Barriers: Deploy Information Barriers between clinical departments (e.g., behavioral health, substance abuse) and administrative departments to prevent Copilot from cross-referencing sensitive PHI
• DLP for Copilot: Configure DLP policies that scan Copilot-generated content for PHI patterns and block sharing outside authorized groups
• Acceptable use policy: Document healthcare-specific Copilot usage guidelines prohibiting: using Copilot to process or summarize patient records outside clinical workflows, sharing Copilot-generated PHI summaries via external channels, using Copilot with unmanaged or personal devices
• Audit and monitoring: Monitor Copilot usage patterns through Microsoft Purview. Alert on Copilot interactions involving PHI-labeled content shared outside care teams

Step 9: SharePoint and OneDrive PHI Configuration

SharePoint and OneDrive are primary storage locations for clinical documents, care coordination files, and administrative PHI. Proper configuration is critical for maintaining the minimum necessary access standard required by HIPAA.

• Dedicated PHI sites: Create dedicated SharePoint sites for PHI content with restricted membership, mandatory sensitivity labels, and enhanced audit logging. Separate clinical sites from general business sites
• External sharing: Disable external sharing on all SharePoint sites containing PHI. If external collaboration is required (referral providers, labs), use SharePoint sites with guest access restricted to specific, approved individuals
• OneDrive restrictions: Block sync of PHI-labeled content to unmanaged devices. Configure app enforcement policies preventing OneDrive data access from non-compliant devices
• Version history: Enable mandatory version history on all PHI libraries with 500+ version retention. This provides audit trail for document changes and supports breach investigation
• Azure Private Link: For high-security environments, configure Azure Private Link for SharePoint Online, ensuring PHI traffic traverses private networks rather than the public internet

Our SharePoint consulting team specializes in HIPAA-compliant SharePoint architectures that balance security with clinical usability.

HIPAA Compliance Checklist for Microsoft 365

Use this checklist to validate your Microsoft 365 HIPAA compliance posture. Each item represents a configuration that EPC Group verifies in our compliance assessments:

• BAA executed with Microsoft and documented
• Microsoft 365 E5 licensing (or equivalent add-ons) for all PHI users
• Sensitivity labels defined and published for PHI classification
• Auto-labeling policies active for PHI content patterns
• DLP policies enforced across Exchange, SharePoint, OneDrive, and Teams
• Retention policies set for 7+ years on PHI content
• Email encryption (OME) enforced for external PHI communications
• TLS 1.2 required for all email transport
• MFA enabled for all users without exceptions
• Conditional Access policies enforcing managed device and location requirements
• Intune device compliance policies active
• App Protection Policies deployed for mobile devices
• Unified audit log enabled with 10-year retention
• Alert policies configured for security events
• Insider Risk Management policies active
• SharePoint external sharing disabled on PHI sites
• Information Barriers deployed for restricted PHI departments
• Copilot governance framework documented and enforced
• Regular access reviews scheduled (quarterly minimum)
• Incident response plan documented and tested annually

Conclusion: HIPAA Compliance Is a Continuous Process

HIPAA compliance in Microsoft 365 is not a one-time configuration exercise. It requires continuous monitoring, regular access reviews, policy updates as Microsoft releases new features, and ongoing training for staff handling PHI. The threat landscape evolves, HIPAA enforcement intensifies, and new technologies like Copilot introduce new compliance dimensions that must be addressed proactively.

EPC Group has maintained a 100% HIPAA audit pass rate across 30+ healthcare organizations because we treat compliance as an ongoing program, not a project. Our AI governance consulting ensures that emerging technologies like Copilot are deployed within your compliance framework from day one.

With 29 years of Microsoft consulting experience, 4 Microsoft Press bestselling books, and deep expertise in healthcare IT compliance, EPC Group provides the most comprehensive HIPAA-compliant Microsoft 365 configuration available. We deliver fixed-price implementations with ongoing compliance monitoring, 24/7 support with 4-hour SLA for security incidents, and annual compliance re-certification to keep your environment audit-ready at all times. Schedule a complimentary HIPAA readiness assessment to identify compliance gaps in your current Microsoft 365 environment.