Primer PHI content on Microsoft SharePoint 2013 and Office 365

Increasingly hearing from customers questions on storing Protected health information or PHI in SharePoint 2013 and Office 365.  Yes, there is a roadmap and implementation guidelines you can follow to store PHI in SharePoint and maintain compliance with HIPPA requirements. 

Microsoft has made information available on their vision for PHI in SharePoint.  I am providing a summary here in case your organization is evaluating SharePoint 2013 and Office365 available features.

PHI content on Microsoft SharePoint 2013:Image

Protected health information or “PHI” “PHI” is a subset of health information, in any media, including demographic information collected from an individual, that is: created or received by a healthcare provider, health plan, employer, or health care clearinghouse; relates to an individual’s health, provision of health care to the individual, or payment for the provision of health care; and identifies an individual or could reasonably be used with other available information to identify an individual. is not specifically excluded from the definition of PHI (generally, education, and employment records are excluded from HIPAA coverage)

PHI includes many common identifiers, such as name, address, and Social Security Number, and can be in any form or media, whether electronic, paper, or oral.

Understanding PHI on SharePoint 2013

Only certain data sets, however, are designated with the appropriate level of security and privacy to comply with the HIPAA security requirements, as described above.

Microsoft strongly recommends that you train your personnel to input PHI only into the appropriately secured and designated areas.

The following data-sets or repositories are suitable for uploading PHI:

PHI Recommended Data Types

  • Email body
  • Email attachment body
  • SharePoint site content
  • Information in the body of a SharePoint file
  • Lync presentation file body
  • IM or voice conversations
  • CRM entity records

Examples of data-sets or repositories not suitable for inclusion of PHI:

    • Email headers, including “From”, “To”*, or “Subject Line”
    • Filenames (including filenames of any attachments or uploaded documents on any Service)
    • URLs, or any public SharePoint websites
    • Account, billing, or service configuration data
    • Internet domain names (e.g., “”)



    Additional Links


    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )


    Connecting to %s