Cybersecurity: 24/7/365
Cybersecurity: 24/7/365
4MEDNET delivers managed IT, cybersecurity, HIPAA compliance, and AI automation solutions built exclusively for healthcare practices.
You signed up for Microsoft 365. You moved your practice email to Outlook. You started storing documents in OneDrive. You assume Microsoft handles the HIPAA compliance part. They do not.
Microsoft 365 is capable of being HIPAA-compliant. But out of the box, with default settings, it is not. 52% of email-related healthcare data breaches involved Microsoft 365 environments. Not because the platform is insecure — because the organizations using it never configured the security settings.
Before you configure a single setting, you need Microsoft's Business Associate Agreement (BAA). HIPAA requires a BAA with any vendor that creates, receives, maintains, or transmits electronic protected health information (ePHI) on your behalf. Microsoft qualifies.
Microsoft offers a BAA for eligible plans. You do not need to negotiate it. But you do need to accept it through the Microsoft 365 admin center under Settings > Org settings > Security & privacy > HIPAA. If you have never visited this page, you do not have an active BAA — and every email containing patient information you have ever sent through Microsoft 365 is technically a HIPAA violation.
The BAA covers Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. It does not cover consumer services like Outlook.com, Hotmail, or personal OneDrive accounts. If any staff member uses a personal Microsoft account for work, that communication is not covered.
Not every Microsoft 365 plan supports the security features HIPAA requires. Here is what you need to know:
For a 20-user practice, the cost difference between Business Standard and Business Premium is $190 per month. That $190 buys you device management, conditional access, advanced threat protection, and the full set of tools needed for HIPAA-compliant email. It is the most cost-effective security upgrade available.
1. Accept the BAA. Admin center > Settings > Org settings > Security & privacy > HIPAA. Accept the agreement. Document the date you accepted it. This is the foundation everything else builds on.
2. Enable multi-factor authentication for every user. MFA is the single most effective security control you can enable. Microsoft's own data shows MFA blocks 99.9% of account compromise attacks. Use the Microsoft Authenticator app or hardware security keys — not SMS codes, which can be intercepted.
3. Configure Conditional Access policies. Conditional Access lets you require MFA from outside the office, block sign-ins from foreign countries where your practice has no staff, require compliant devices, and block legacy authentication protocols that do not support MFA. At minimum, create policies that block legacy auth, require MFA for all users, and restrict access to managed devices for ePHI.
4. Set up Data Loss Prevention (DLP) policies. DLP scans outbound email and shared files for patterns that match protected health information — Social Security numbers, medical record numbers, diagnosis codes. When a match is detected, DLP can block the message, require encryption, or notify the compliance officer. Create policies that cover at minimum: SSNs, health information patterns, and credit card numbers.
5. Enable message encryption. Microsoft 365 Message Encryption (OME) encrypts email messages containing sensitive content. Configure transport rules that automatically encrypt any message flagged by DLP or any message sent to external recipients containing ePHI. Recipients outside your organization receive a link to a secure portal to read the message — no special software required.
6. Enable unified audit logging. HIPAA requires audit controls that record who accessed ePHI, when, and what they did. In the Microsoft Purview compliance portal, enable unified audit logging for all services. Set the retention period to at least 1 year (Business Premium supports this). Regularly review audit logs for unusual access patterns — especially during risk assessments.
7. Set session timeout policies. HIPAA requires automatic logoff after a period of inactivity. Configure idle session timeout to 15 minutes for web-based access (Outlook Web, SharePoint Online, Teams Web). For desktop applications, configure Windows lock screen timeout to 5 minutes. This prevents unauthorized access to a logged-in workstation when staff step away.
8. Restrict external sharing in OneDrive and SharePoint. By default, OneDrive and SharePoint allow sharing files with anyone via link. Change the default sharing scope to "People in your organization" and require approval for external sharing. Create a specific SharePoint site for external collaboration with controlled permissions rather than allowing ad-hoc sharing from any location.
9. Disable consumer storage connections. In the OneDrive admin settings, disable the ability to sync personal OneDrive accounts on work devices. Block connections to consumer cloud storage services (Dropbox, personal Google Drive) from managed devices. Patient data should only exist in business-managed storage covered by the BAA.
10. Configure retention policies. HIPAA requires that medical records be retained for the periods specified by state law — typically 7 to 10 years for adults. Create retention policies in Microsoft Purview that prevent deletion of email and documents containing patient information before the retention period expires. Also configure litigation hold for any users involved in active legal matters.
11. Set up security alerts. Configure alerts for: impossible travel (sign-ins from two locations that are too far apart to travel between), sign-ins from anonymous IP addresses, unusual mail forwarding rules (a common indicator of account compromise), and bulk file downloads from SharePoint or OneDrive. Route these alerts to your IT administrator and compliance officer.
12. Enroll devices in Intune (MDM). If staff access Microsoft 365 from mobile phones or personal laptops, those devices need management. Intune lets you require a PIN or biometric to access work data, encrypt work data on the device, and remotely wipe work data if a device is lost or stolen — without touching personal data. Create a compliance policy that requires encryption, a screen lock, and current OS version.
Auto-forwarding to personal email. A staff member sets up a rule to forward all work email to their personal Gmail. Patient information now sits in an unencrypted consumer email account not covered by your BAA. Disable auto-forwarding to external domains in Exchange transport rules.
Shared mailboxes without MFA. Shared mailboxes (info@, billing@, referrals@) are often configured without MFA because "nobody owns the account." Attackers know this. Every shared mailbox should have a designated owner, and access should require MFA through each individual user's account — not a shared password.
No training on phishing. 91% of cyberattacks start with a phishing email. Microsoft Defender for Office 365 (included in Business Premium) offers attack simulation training. Run simulated phishing campaigns monthly. Staff who click get immediate training. Over time, click rates drop from 30% to under 5%.
Using Teams for patient discussions without controls. Microsoft Teams is covered by the BAA, but conversations are only as secure as the participants. Guest access, external sharing, and open channels can expose patient information. Restrict guest access to specific teams, disable external chat, and create dedicated private channels for patient-related discussions.
When OCR investigates a complaint or conducts an audit, they ask for documentation. For Microsoft 365 environments, expect questions about:
If you cannot produce these documents, the configuration does not matter. HIPAA requires both the controls and the documentation that proves they exist.
Book a free Microsoft 365 security review to see how your current configuration measures up against HIPAA requirements. We will audit your settings, identify gaps, and configure the 12 controls your practice needs. Explore our HIPAA compliance services and support plans.
Managed IT, cybersecurity, HIPAA compliance, and AI automation for healthcare practices. We keep your technology secure so you can focus on patient care.
4MEDNET.COM - Copyright 2026. All rights reserved.
