What Customers Need to Do to Be HIPAA Compliant?
Enable Multi-Factor Authentication (MFA) for all users.
Assign admin roles only to trusted personnel.
Use Microsoft Purview Message Encryption for emails containing PHI.
Set up Data Loss Prevention (DLP) policies.
Store PHI only in OneDrive for Business or SharePoint Online.
Enable audit logging to track access and changes.
Configure retention policies for record-keeping.
Train staff on secure handling of PHI.
Use Microsoft Purview Compliance Manager to monitor compliance.
How Customers Can Show They’re Compliant?
Maintain internal documentation of all compliance measures.
Use Compliance Manager (https://purview.microsoft.com) to generate reports.
Optionally, engage a third-party auditor for a compliance attestation.
Note:
Microsoft does not issue a HIPAA compliance certificate, since only you can prove how securely you manage PHI.
HIPAA compliance is therefore self-attested, customers must document their own efforts.
Microsoft automatically provides a Business Associate Agreement (BAA) when a tenant is created, confirming that Microsoft 365 services protect PHI through encryption, restricted data center access, and non-disclosure of data.