Increasingly hearing from customers questions on storing Protected health information or PHI in SharePoint 2013 and Office 365. Yes, there is a roadmap and implementation guidelines you can follow to store PHI in SharePoint and maintain compliance with HIPPA requirements.
Microsoft has made information available on their vision for PHI in SharePoint. I am providing a summary here in case your organization is evaluating SharePoint 2013 and Office365 available features.
Protected health information or “PHI” “PHI” is a subset of health information, in any media, including demographic information collected from an individual, that is: created or received by a healthcare provider, health plan, employer, or health care clearinghouse; relates to an individual’s health, provision of health care to the individual, or payment for the provision of health care; and identifies an individual or could reasonably be used with other available information to identify an individual. is not specifically excluded from the definition of PHI (generally, education, and employment records are excluded from HIPAA coverage)
PHI includes many common identifiers, such as name, address, and Social Security Number, and can be in any form or media, whether electronic, paper, or oral.
Understanding PHI on SharePoint 2013
Only certain data sets, however, are designated with the appropriate level of security and privacy to comply with the HIPAA security requirements, as described above.
Microsoft strongly recommends that you train your personnel to input PHI only into the appropriately secured and designated areas.
The following data-sets or repositories are suitable for uploading PHI:
PHI Recommended Data Types
- Email body
- Email attachment body
- SharePoint site content
- Information in the body of a SharePoint file
- Lync presentation file body
- IM or voice conversations
- CRM entity records
Examples of data-sets or repositories not suitable for inclusion of PHI:
- Email headers, including “From”, “To”*, or “Subject Line”
- Filenames (including filenames of any attachments or uploaded documents on any Service)
- URLs, or any public SharePoint websites
- Account, billing, or service configuration data
- Internet domain names (e.g., “fabrikam.com”)
- HIPAA Compliance with Office 365 (Exchange Online) – Steps for Configuration and Use
- Microsoft Office 365 for Health Organizations