HIPAA Framework
Assess and maintain HIPAA compliance for Microsoft 365 tenants handling protected health information (PHI). OpsPilot365 Trust Center maps M365 security configurations to HIPAA Security Rule requirements, tracks Business Associate Agreement (BAA) coverage, and monitors PHI protection controls.
Note: HIPAA compliance monitoring is part of the Trust Center add-on. It covers Administrative, Physical, and Technical safeguards from the HIPAA Security Rule, with automated assessments tailored for MSPs managing healthcare client tenants in Microsoft 365.
HIPAA Security Rule Overview
The HIPAA Security Rule establishes national standards for protecting electronic protected health information (ePHI). It requires covered entities and business associates to implement safeguards across three categories: Administrative Safeguards (24), Physical Safeguards (10), and Technical Safeguards (16).
Administrative Safeguards
| HIPAA Reference | Requirement | M365 Implementation | Status |
|---|---|---|---|
| 164.308(a)(1) | Security Management Process | Secure Score, risk assessments, compliance policies | Auto |
| 164.308(a)(3) | Workforce Security | User provisioning/deprovisioning, access reviews, role assignments | Auto |
| 164.308(a)(4) | Information Access Management | RBAC, SharePoint permissions, sensitivity labels | Auto |
| 164.308(a)(5) | Security Awareness and Training | Attack simulation training, compliance training assignments | Partial |
| 164.308(a)(6) | Security Incident Procedures | Alert policies, Defender incidents, automated investigation | Auto |
| 164.308(a)(7) | Contingency Plan | Backup configurations, recovery procedures, data retention | Partial |
Physical Safeguards
| HIPAA Reference | Requirement | M365 Implementation | Status |
|---|---|---|---|
| 164.310(b) | Workstation Use | Intune compliance policies, device configuration profiles | Auto |
| 164.310(c) | Workstation Security | BitLocker encryption, screen lock policies, Defender for Endpoint | Auto |
| 164.310(d) | Device and Media Controls | Remote wipe, selective wipe, device retirement policies | Auto |
Technical Safeguards
| HIPAA Reference | Requirement | M365 Implementation | Status |
|---|---|---|---|
| 164.312(a)(1) | Access Control | Unique user IDs, Conditional Access, emergency access accounts | Auto |
| 164.312(b) | Audit Controls | Unified Audit Log, mailbox auditing, sign-in logs | Auto |
| 164.312(c)(1) | Integrity Controls | DLP policies, versioning, change tracking, retention locks | Auto |
| 164.312(d) | Person or Entity Authentication | MFA enforcement, passwordless authentication, identity verification | Auto |
| 164.312(e)(1) | Transmission Security | TLS enforcement, message encryption, S/MIME, transport rules | Auto |
Business Associate Agreement (BAA) Tracking
Note: Microsoft offers a BAA as part of the Online Services Terms for eligible M365 services. OpsPilot365 validates which M365 services are covered under the Microsoft BAA and identifies any services in use that may fall outside BAA coverage, requiring additional review.
| Service | BAA Status | ePHI Handling |
|---|---|---|
| Exchange Online | Covered | Email communications containing PHI |
| SharePoint Online | Covered | Document storage and collaboration with PHI |
| Microsoft Teams | Covered | Chat, meetings, and file sharing with PHI |
| OneDrive for Business | Covered | Personal file storage containing PHI |
| Microsoft Intune | Covered | Device management for ePHI-accessing devices |
| Third-party M365 Apps | Review Required | Separate BAA may be needed per vendor |
PHI Protection in Microsoft 365
- Data Loss Prevention — HIPAA-specific DLP policy templates enabled, PHI sensitive information types configured, policy tips for end-user awareness, incident reports for DLP policy matches.
- Encryption — Message encryption for PHI-containing emails, TLS enforcement on all mail flow connectors, BitLocker on managed endpoints via Intune, sensitivity labels with encryption for PHI documents.
- Access Controls — MFA enforced for all users accessing PHI, Conditional Access restricting PHI access to compliant devices, session timeout policies for PHI-containing applications, automatic sign-out after inactivity periods.
- Audit and Monitoring — Unified Audit Log enabled with extended retention, mailbox auditing for PHI-containing mailboxes, alert policies for unusual PHI access patterns, eDiscovery hold for breach investigation readiness.
Evidence Requirements
| Evidence Category | Artifacts Collected | HIPAA Reference |
|---|---|---|
| Access Management | MFA status reports, CA policy exports, PIM assignments | 164.312(a), 164.312(d) |
| Audit Logging | Audit log configuration, retention settings, sample logs | 164.312(b) |
| Encryption | TLS settings, message encryption rules, BitLocker status | 164.312(a)(2)(iv), 164.312(e) |
| Data Protection | DLP policies, sensitivity labels, retention policies | 164.312(c), 164.530(j) |
| Device Management | Intune compliance reports, device encryption status | 164.310(b), 164.310(c) |
Note: For healthcare clients, always verify that the Microsoft BAA is executed before enabling any M365 service for PHI processing. Use OpsPilot365 HIPAA DLP policy templates as a starting point and customize the PHI sensitive information types to match the specific data your client handles. Enable extended audit log retention (minimum 6 years as required by HIPAA) for all tenants handling ePHI.
API Reference
GET /api/addons/trust-center/frameworks/hipaa/status— Get HIPAA compliance status summary for a tenantGET /api/addons/trust-center/frameworks/hipaa/safeguards— List safeguard requirements with assessment resultsGET /api/addons/trust-center/frameworks/hipaa/baa-status— Get BAA coverage status for all M365 services in useGET /api/addons/trust-center/frameworks/hipaa/phi-controls— Get status of PHI-specific protection controlsPOST /api/addons/trust-center/frameworks/hipaa/scan— Trigger a HIPAA compliance assessment scanGET /api/addons/trust-center/frameworks/hipaa/evidence— Export evidence package for HIPAA audit or OCR investigationGET /api/addons/trust-center/frameworks/hipaa/risk-assessment— Generate HIPAA-specific risk assessment report