Skip to main content
PHIGuard logo

Is SharePoint HIPAA Compliant?

Last updated: March 21, 2026

TLDR

SharePoint Online within a qualifying Microsoft 365 business plan can be HIPAA compliant, but it requires a signed Microsoft Data Processing Agreement and deliberate configuration of external sharing settings. Without both, storing PHI in SharePoint document libraries is a HIPAA violation.

Short Answer

SharePoint Online within Microsoft 365 can be HIPAA compliant. The prerequisite is a signed Microsoft Data Processing Agreement (the M365 HIPAA BAA) and active restriction of SharePoint’s external sharing settings. SharePoint’s defaults allow external sharing — for PHI-containing document libraries, that default must be changed before any patient data is stored.

What the Microsoft 365 BAA Covers

Microsoft’s HIPAA coverage is not service-by-service — it is a single Data Processing Agreement that covers the core Microsoft 365 services: Exchange Online (Outlook), SharePoint Online, OneDrive for Business, Microsoft Teams, and several others. Accepting this agreement through the M365 admin center brings all covered services under the BAA simultaneously.

For SharePoint, this means document storage within SharePoint Online is covered once the DPA is signed. Files are encrypted at rest and in transit, access requires authenticated M365 accounts, and Microsoft commits to its breach notification and security obligations.

External Sharing: The Configuration Gap

SharePoint Online is built for collaboration across organizational boundaries. Its default settings reflect that — external sharing is enabled by default, and users can generate links accessible to anyone with a URL or to specific external email addresses.

For HIPAA, this is the primary configuration problem. A document library containing patient PHI with external sharing enabled is accessible outside the BAA boundary. The BAA covers Microsoft’s infrastructure; it does not prevent your staff from sharing a folder of patient files with an external billing contractor’s personal email.

Administrators must configure SharePoint external sharing policies in the SharePoint admin center. For any site collection or document library containing PHI, the setting should be “Only people in your organization.” This applies per-site — a general SharePoint intranet can have broader sharing while clinical document sites are locked down.

PHI in SharePoint: What Clinics Actually Store

Medical practices use SharePoint for a range of administrative documents that qualify as PHI: intake form templates pre-filled with patient data, clinical policy documents referencing specific cases, billing records, patient correspondence archives, and staff training materials that include de-identified or identified clinical examples.

Any document referencing patient names, diagnoses, treatment plans, dates of service, or billing information is PHI regardless of the file format. PDFs, Word documents, Excel spreadsheets, and scanned forms stored in SharePoint libraries are all in scope.

Who Should Look Elsewhere

Clinics using personal Microsoft accounts or consumer-tier M365 plans without a signed BAA need to sign the DPA before storing any PHI in SharePoint. Clinics that need PHI-aware task management, compliance workflows, and audit trails tied to specific clinical tasks — not just document storage — need a tool built for that purpose. PHIGuard ($20/month for up to 10 staff, $49/month for up to 25 staff) includes a BAA and handles the compliance workflow layer that SharePoint was not designed to provide.

Like what you're reading?

Try PHIGuard free — no credit card required.

DEFINITION

Business Associate Agreement (BAA)
A legally required contract between a covered entity and a vendor that handles PHI on its behalf. For Microsoft 365, this is the Data Processing Agreement (DPA), accepted through the M365 admin center. It covers SharePoint Online, Exchange Online, Teams, OneDrive, and other core M365 services under a single agreement.

DEFINITION

External Sharing
SharePoint Online's feature that allows users inside an organization to share document libraries, folders, or files with people outside the organization's Microsoft 365 tenant. For HIPAA purposes, external sharing of PHI must be restricted — anonymous or open link sharing is incompatible with HIPAA minimum-necessary access requirements.

Q&A

Is SharePoint HIPAA compliant?

SharePoint Online within Microsoft 365 can be, provided your organization has accepted Microsoft's Data Processing Agreement and has configured SharePoint's external sharing settings to prevent uncontrolled access to PHI-containing libraries.

Q&A

What configuration steps are required to use SharePoint for PHI?

Three steps: (1) Accept Microsoft's HIPAA BAA (Data Processing Agreement) in the M365 admin center. (2) In the SharePoint admin center, set external sharing to 'Only people in your organization' for sites that will contain PHI. (3) Review existing site collections and document libraries for any PHI that was stored before the BAA was accepted or before sharing was restricted.

Q&A

What are the ongoing risks of using SharePoint for PHI?

SharePoint has no PHI-specific access controls — any user with site access can read all documents in that library. There is no minimum-necessary enforcement, no clinical workflow context, and audit logs require manual export and interpretation. The BAA covers Microsoft's obligations; your organization remains responsible for who has access and what they do with PHI.

Want to learn more?

Learn More
Is there a standalone SharePoint HIPAA BAA?
No. SharePoint Online is covered under Microsoft's broader HIPAA Data Processing Agreement (DPA) for Microsoft 365. The same agreement that covers Outlook, Teams, and OneDrive covers SharePoint — it is one unified agreement, not a separate per-service contract.
Does SharePoint's external sharing setting affect HIPAA compliance?
Yes. SharePoint Online defaults to allowing external sharing — users outside your organization can receive sharing links. For PHI-containing document libraries, external sharing must be disabled or restricted to named users with verified accounts. The BAA does not automatically enforce this.
Can we store patient intake forms and policy documents in SharePoint with a BAA?
Yes, if the BAA is signed and sharing is restricted. PHI in document libraries — intake templates, clinical policy documents, patient-facing forms — is covered by the BAA once it is in place and the library is not accessible externally.
Does the Microsoft 365 BAA cover SharePoint sites shared with external consultants?
Partially. External users accessing a SharePoint site through a guest account within your M365 tenant may fall within the BAA boundary depending on configuration. External users accessing files through anonymous links are outside it. This distinction matters and requires administrator review.

Keep reading

Is OneDrive HIPAA Compliant? Personal vs. Business Accounts Explained

OneDrive personal accounts are not HIPAA compliant and cannot be made so. OneDrive for Business can be compliant under a Microsoft 365 business plan with the Microsoft HIPAA BAA accepted. Here is what that requires.

Is Microsoft Teams HIPAA Compliant? What Medical Practices Need to Know

Microsoft Teams can be HIPAA compliant, but only with the right Microsoft 365 plan, a signed BAA, and careful configuration. Here's what small practices need to know before using it for anything involving PHI.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.