Skip to main content
< All Topics
Print

Purview – HIPAA Compliant Security Policy

Posted
Updated
Bychris_fry

Step-by-Step Guide: Creating a HIPAA-Compliant Security Policy in Microsoft Purview

Step 1: Access Microsoft Purview

  1. Log in to your Microsoft 365 admin account.
  2. Navigate to the Microsoft Purview Compliance Portal: https://compliance.microsoft.com
  3. Ensure you have appropriate roles (Compliance Administrator or Global Admin).

Step 2: Enable Audit Logging

  1. In the left menu, go to Audit.
  2. Click Start recording user and admin activity (if not already enabled).
  3. Confirm logging is active (required for HIPAA auditing).

Step 3: Create Sensitivity Labels for PHI

  1. Go to Information ProtectionLabels.
  2. Click + Create a label.
  3. Name it: Confidential – PHI.
  4. Configure:
    • Encryption (restrict access to authorized users only)
    • Marking (optional headers/footers like “Contains PHI”)
  5. Publish the label:
    • Go to Label policiesPublish labels
    • Select users/groups and make it mandatory if needed

Step 4: Configure Auto-Labeling for PHI

  1. Go to Information ProtectionAuto-labeling.
  2. Click + Create auto-labeling policy.
  3. Choose Sensitive info types:
    • U.S. Health Insurance Claim Number
    • Medical Record Number
    • Other PHI identifiers
  4. Set conditions (e.g., apply label when PHI is detected).
  5. Run in simulation mode first, then turn it on.

Step 5: Create Data Loss Prevention (DLP) Policy

  1. Navigate to Data Loss PreventionPolicies.
  2. Click + Create policy.
  3. Choose template: HIPAA or U.S. Health Information Act (HIPAA).
  4. Select locations:
    • Exchange (email)
    • SharePoint
    • OneDrive
    • Teams
  5. Configure rules:
    • Detect PHI
    • Block external sharing OR require encryption
    • Show policy tips to users
  6. Turn on the policy.

Step 6: Configure Endpoint DLP (Optional but Recommended)

  1. Go to Data Loss PreventionEndpoint DLP settings.
  2. Enable device monitoring.
  3. Create rules to prevent copying PHI to USB or printing sensitive data.

Step 7: Set Up Insider Risk Management

  1. Go to Insider Risk Management.
  2. Accept prerequisites (permissions, data sharing).
  3. Click + Create policy.
  4. Choose template:
    • Data leaks
    • Unauthorized access
  5. Define users/groups and risk indicators.
  6. Configure alerts and severity levels.

Step 8: Configure Retention Policies

  1. Go to Data Lifecycle ManagementRetention policies.
  2. Click + Create policy.
  3. Name it (e.g., PHI Retention – 6 Years).
  4. Choose locations (Exchange, SharePoint, etc.).
  5. Set retention:
    • Retain for 6 years (HIPAA standard)
    • Then delete or retain forever based on policy

Step 9: Enable eDiscovery (for Legal/HIPAA Requests)

  1. Go to eDiscovery (Standard or Premium).
  2. Create a case.
  3. Add custodians (users with PHI).
  4. Place content on hold to preserve data.

Step 10: Configure Access Controls

  1. Go to Microsoft Entra ID (Azure AD).
  2. Enable:
    • Multi-Factor Authentication (MFA)
    • Conditional Access policies (restrict by device/location)
  3. Assign least-privilege roles.

Step 11: Configure Alerts and Monitoring

  1. Go to AlertsAlert policies.
  2. Enable alerts for:
    • DLP violations
    • Unusual file access
    • Insider risk events
  3. Set notification recipients (security team).

Step 12: Test the Policy

  1. Upload or send test files containing sample PHI.
  2. Confirm:
    • Labels are applied
    • DLP blocks or warns appropriately
    • Alerts are triggered

Step 13: Train Users

  1. Inform users about:
    • PHI handling rules
    • Label usage
    • DLP warnings
  2. Conduct periodic training sessions.

Step 14: Document and Review

  1. Document all configurations and policies.
  2. Schedule quarterly reviews.
  3. Adjust based on audit findings or regulation changes.