The Woodard Report

HIPAA, the HITECH Act and SharePoint

Written by Cathy Roth | Jun 22, 2021 3:13:08 PM

For some of us, HIPAA is just a form we sign when we go to the doctors. For those accountants and bookkeepers who work with covered entities, a much more thorough understanding of HIPAA (and the HITECH Act) is necessary, particularly when using, storing or accessing documents that may contain protected information.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. As a result of HIPAA, the US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule.. The HIPAA Privacy Rule is designed to balance both the need to protect the privacy of individual health information while permitting important uses of that information. The scope of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.

Definitions of Terms

Covered Entities are those types of individuals or organizations that are subject to the privacy rules, including healthcare providers, health plans, health care clearinghouses and business associates. 

Business Associates are the people or organization (not a member of the covered entities workforce) using or disclosing individually identifiable health information in performing activities or services for the covered entity, such as claims processing, data analysis, utilization review and billing. 

Permitted Uses and Disclosures are those purposes and situations when a covered entity is permitted to use and disclose protected health information. See HHS.gov for more information.

The HIPAA Security Rule protects a subset of information under the Privacy Rule - electronic protected health information or e-PHI. To comply with this rule, all covered entities must do the following:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information
  • Detect and safeguard against anticipated threats to the security of the information
  • Protect against anticipated impermissible uses or disclosures
  • Certify compliance by their workforce

Is SharePoint compliant with the requirements of HIPAA and HITECH?

The short answer is yes. However, using SharePoint does not on its own achieve HIPAA compliance for you or your clients. Covered entities and business associates are responsible for ensuring their own compliance and internal processes and that their particular use of Microsoft services aligns with HIPAA and HITECH Act obligations.

Details about SharePoint and HIPAA and HITECH

As a cloud service provider, Microsoft is considered a business associate when a covered entity engages Microsoft's services as a cloud service provider. In addition, when a covered entity has a business associate that subcontracts with Microsoft to create, receive, maintain, or transmit PHI, Microsoft again becomes a business associate of the covered entity.

So, if a covered entity client or one of its business associates (i.e., your accounting or bookkeeping practice) is using SharePoint for document management, then Microsoft is considered a business associate of the covered entity and Microsoft must be HIPAA and HITECH compliant. 

HIPAA regulations require covered entities enter a Business Associate Agreement (BAA) with business associates to ensure adequate protection of individually identifiable health information. Microsoft adheres to the Security Rule requirements in its capacity as a business associate and a BAA is available (here) by default to all customers who are covered entities or business associates under HIPAA . Note: Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification and the HITRUST CSF certification.