HIPAA and Teams/SharePoint

Question

I am trying to build a model for a small healthcare office. We need to take in PHI, schedule a teams appointment, Automatically generate records, and then share the records with the patient.

According to MS's HIPAA page. Azure, Automate, OneDrive, SharePoint and Teams are all covered under the scope, which I understand still leaves the responsibility to manage permissions and incidents to the organization.

I guess the most concerning part to me is sharing the records with the patient, but I have this general workflow:

1. (Trigger) User submits a form with their email and asks for an appointment
2. An invitation asking them to join our Orgs Microsoft organization is sent to their email address.
3. Once they login with their email and Microsoft password, and accept the invitation they are directed to a
   SharePoint Page with a form asking them all the PHI and Medical Questions as well as
   availability – this heads directly to an Azure SQL server with strict access
4. Once we receive the second form we schedule a meeting with the patient and the
   Doctor
5. Appointment Happens over teams
6. After the Appointment, Doctor approves/signs off on each person in his “after-chat”
   queue Maybe Power Apps? Also in-scope for HIPAA
7. Paperwork/documents are generated from SQL and Appointment Data, and an email is sent out with instructions to
   access the files
8. User receives email (PHI-FREE/ HIPAA Compliant) and follows the link to the private
   SharePoint Page only they have access to with their Documents. The rest of the email
   contains steps for registering online, or printing and mailing the Documents.

I would obviously set up an audit to ensure only the specific and authenticated users are accessing the correct PHI, but I guess I don't love using SharePoint for holding PHI containing records. Also, is a Guest MS account enough to authenticate? Should I enable 2fA for Guest Users?

Answer 1

For permission in a SharePoint list, here are some information which may be helpful to you.

I assume you are clear about how to configure external sharing in Microsoft 365 to grant access to patients. And here is an overview if you want to have a check on it.

We can share a list with a customized Power Apps form to these external users. Make the patients to fill in the form with the PHI. Through setting the item-level permission , we can ensure the external users can only see the forms created by themselves.

For the appointment with teams, it may be better to send the invitation via Outlook Emails with a link for a Teams meeting. User can join the meeting with the link. External users shall be fine for this part.

And for the auto-generated Email, you may turn to Power Automate to create a Flow to generate the Email with required information, it is more handy and very powerful. We have actions in flow to create sharing links. So things could go like this, when a required document is created, trigger a flow to generate a sharing link to that file, then send the Email to the specific external user (patient) with this link. The users only need to receive the email and access the file we provide a link. Guest access shall work.

For auditing, Microsoft 365 provide the audit log for you to monitor user activities.

So overall, it shall be fine for you to handle the whole process with a guest account except the part about “after-chat” and paperwork as I am not very clear about your detailed requirements. Still, as this procedure you describe needs a lot of different products, it will always be helpful for you to have a talk with a MS partner or solution provider.

---

If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.