A Secure SharePoint with AI in Senior Living
By Monique Millan, Modern Workspace & SharePoint Developer | Parasol Alliance
Is SharePoint with Microsoft Copilot HIPAA-Compliant?
As AI becomes increasingly embedded into collaboration platforms like Microsoft SharePoint, OneDrive, and Teams, healthcare and senior living organizations face a new challenge: maintaining HIPAA compliance in an AI-augmented ecosystem. With the introduction of Microsoft 365 Copilot, how can organizations that handle protected health information (PHI) leverage these tools without violating compliance regulations?
What Is HIPAA Compliance in SharePoint?
SharePoint can be HIPAA compliant if certain conditions are met:
You must be on a Microsoft 365 Enterprise plan.
Microsoft must sign a Business Associate Agreement (BAA) with your organization.
You must configure technical safeguards, including:
Role-based access control and multi-factor authentication
End-to-end encryption (TLS and AES-256)
Audit logs and data activity monitoring
DLP policies and retention rules
“SharePoint is HIPAA compliant when used as part of a Microsoft 365 Enterprise plan and a Business Associate Agreement is entered into with Microsoft.” — HIPAA Journal (source)
Microsoft 365 Copilot: A New Compliance Frontier
Copilot leverages large language models (LLMs) to generate insights, summarize documents, and even automate content generation across Microsoft 365 apps. While powerful, this presents compliance risks:
Enterprise Copilot is covered under Microsoft's BAA and can be used in HIPAA-regulated environments with restrictions.
Consumer Copilot or Copilot features relying on web search (e.g., Bing) are not HIPAA compliant.
"Copilot in Microsoft 365 is designed to meet rigorous compliance and security standards, including HIPAA, as long as web-based content is disabled and proper tenant safeguards are in place." — Microsoft Docs (source)
Key Risks and Considerations
Organizations working with ePHI should be aware of the following:
| Concern | Risk |
|---|---|
| Web Search Enabled | PHI may be sent to non-compliant Bing services |
| Poor Access Management | Unauthorized access to sensitive content |
| Insufficient Prompt Controls | Staff may inadvertently include PHI in AI prompts |
| Lack of Monitoring | No audit trail of Copilot interactions |
Best Practices for HIPAA Compliance with SharePoint + Copilot
Ensure Microsoft 365 BAA is in place: Verify contractually that Copilot is included.
Disable Copilot web search: Prevent data from leaving HIPAA-governed systems.
Enable DLP policies: Use Microsoft Purview to tag, restrict, and monitor PHI.
Train your team: Educate staff on prompt safety and compliance-aware workflows.
Restrict Copilot to secure environments: Avoid mobile and external guest usage for PHI content.
Use audit logs: Enable and monitor Copilot interactions with PHI-rich repositories.
SharePoint (E3/E5) is HIPAA compliant with a BAA & secure configuration
Microsoft 365 Copilot is HIPAA company with controls, and you must disable web features and restrict prompt data.
Bing Web Search is not HIPAA compliant.
Microsoft Teams is HIPAA compliant with limits, only internal chats and you must disable guest/external use.
With intentional governance and configuration, modern SharePoint combined with Microsoft Copilot can support HIPAA compliance. For senior living communities, this means being able to enhance efficiency with AI without compromising patient trust or regulatory obligations.
References