Skip to main content
Nona Clinical IT
← Resources

The Microsoft 365 HIPAA Checklist Most Practices Fail

Microsoft 365 can be HIPAA-compliant. Out of the box, it usually isn't — compliance lives in the configuration, not the subscription. Here's the checklist we run on every healthcare tenant we take over, in the order that matters.

1. Sign Microsoft's BAA

Microsoft offers a Business Associate Agreement through its online terms — but only on commercial plans purchased the right way. If your licenses came through a consumer reseller bundle (GoDaddy and web hosts are common culprits), confirm the BAA actually attaches to your tenant. We've audited practices that assumed it did. It didn't.

2. Turn on MFA for every account — no exceptions

Most healthcare breaches we see start with one password. Multi-factor authentication stops the overwhelming majority of account takeovers, and "every account" includes the front-desk shared login everyone forgot about. Conditional Access (Business Premium) lets you enforce it instead of asking nicely.

3. Get on the right license

  • Business Basic / Standard: email and Office, but thin on the security HIPAA expects.
  • Business Premium: adds Intune (device management), Defender for Business, Conditional Access, and DLP — the actual compliance toolkit. For most practices under 300 seats, this is the license that makes the rest of this checklist possible.

4. Encrypt and manage the devices

A lost laptop with cached patient email is a reportable breach — unless the disk was encrypted and you can prove it. Intune enforces BitLocker on Windows and passcodes/encryption on phones, and lets you wipe a device that walks away. If a workstation can read patient data, it should be enrolled.

5. Data Loss Prevention for PHI patterns

M365's DLP can recognize medical record numbers, SSNs, and health terms, then warn or block before someone emails a spreadsheet of patients to the wrong address. The default policies take an afternoon to tune. Most tenants we inherit have them off.

6. Audit logging — turned on before you need it

When HHS asks "who accessed this mailbox," the audit log is your answer — but only if it was enabled and retained. Verify unified audit logging is on and your retention matches your policy. You cannot turn it on retroactively.

7. Mind the leaks at the edges

  • Auto-forwarding to personal email — block it tenant-wide.
  • Guest sharing defaults in SharePoint/OneDrive — tighten them.
  • Shared mailboxes with full-access sprawl — review who can read what annually.
  • Third-party app consents — staff granting random apps access to mail is a quiet, common hole.

The honest summary

If your practice runs M365 on Business Standard with MFA "encouraged," you have an email system, not a compliance posture. The jump to a properly configured Business Premium tenant is usually a few dollars per user — far less than one breach-notification mailing.

We do this exact hardening as a fixed-scope engagement: audit, configure, document, hand you the evidence binder. Schedule a discovery call.

Want a second set of eyes on how your practice handles this?

Schedule a discovery call