Skip to main content
< All Topics
Print

RUNBOOK: HIPAA Compliance Implementation in Microsoft Purview

Posted
Updated
Bychris_fry

Phase 1 — Initial Setup

Step 1: Access Compliance Portal

What you should see (screenshot reference):

  • Left sidebar with:
    • Solutions
    • Data Loss Prevention
    • Information Protection
    • Audit
    • Compliance Manager

Step 2: Enable Audit Logging

Path:

  • Audit → “Start recording user and admin activity”

Action:

  • Click Start recording

What you should see:

  • Status changes to: ✅ Auditing is enabled

Step 3: Assign Roles

Path:

  • Settings → Roles → Role groups

Assign:

  • Compliance Administrator
  • DLP Compliance Management
  • Information Protection Admin

Screenshot reference:

  • Table of role groups with “Members” column populated

Phase 2 — Data Discovery & Classification

Step 4: Review Sensitive Info Types

Path:

  • Data classification → Sensitive info types

Search for:

  • “U.S. Health Insurance Act (HIPAA)”
  • SSN
  • Medical record number

What you should see:

  • Built-in definitions with confidence levels (Low/Medium/High)

Step 5: Use Content Explorer

Path:

  • Data classification → Content explorer

Action:

  • Filter by:
    • Location (Exchange, SharePoint, OneDrive)
    • Sensitive type (PHI)

What you should see:

  • Files/emails flagged with sensitive data matches

Phase 3 — Sensitivity Labels (Data Protection)

Step 6: Create Sensitivity Labels

Path:

  • Information Protection → Labels → “Create a label”

🔐 TEMPLATE: Sensitivity Labels

Label 1: PHI – Highly Confidential

Name: PHI - Highly Confidential
Description: Protected Health Information under HIPAAEncryption:
- Assign permissions to specific users/groups only
- Block external accessContent Marking:
- Header: CONFIDENTIAL – PHI
- Footer: Contains Protected Health InformationAuto-labeling:
- Conditions:
  - U.S. Social Security Number
  - Medical Record Number
  - HIPAA Identifier
- Confidence: Medium or High

Label 2: Confidential

Name: Confidential
Encryption: Internal users only
Marking: CONFIDENTIAL

Label 3: Internal

Name: Internal
No encryption
Marking: Internal Use Only

Step 7: Publish Labels

Path:

  • Label policies → Publish labels

Assign to:

  • All users handling PHI

What you should see:

  • Labels available in:
    • Outlook
    • Word
    • Excel

Phase 4 — Data Loss Prevention (DLP)

Step 8: Create DLP Policy

Path:

  • Data Loss Prevention → Policies → Create policy

Template:

  • “U.S. Health Insurance Act (HIPAA)”

🚫 TEMPLATE: DLP POLICY (HIPAA)

Policy Name: HIPAA PHI Protection PolicyLocations:
- Exchange Online
- SharePoint Online
- OneDrive
- Microsoft TeamsRules:Rule 1: Block External Sharing of PHI
Conditions:
- Content contains:
  - 1+ U.S. SSN AND
  - 1+ Medical Record NumberActions:
- Block sharing externally
- Show policy tip
- Send alert to compliance team---Rule 2: Warn on PHI Transmission
Conditions:
- Content contains PHI (medium confidence)Actions:
- Allow override with justification
- Show warning to user---Rule 3: High Volume Data Exfiltration
Conditions:
- 10+ PHI records detectedActions:
- Block activity
- Generate high severity alert

Step 9: Enable Policy Tips

What you should see:

  • In Outlook/Word:
    • Yellow warning bar
    • “This content may contain sensitive information”

Phase 5 — Endpoint DLP

Step 10: Enable Endpoint Protection

Path:

  • Endpoint DLP → Settings

Actions:

  • Turn on device onboarding
  • Connect via Intune or Defender

💻 TEMPLATE: Endpoint DLP Policy

Policy Name: Endpoint PHI ProtectionConditions:
- Device: Windows 10/11
- Content contains PHIActions:
- Block copy to USB
- Block printing
- Block upload to unauthorized apps
- Allow access to approved apps onlyUser Notification:
- Show warning message

Phase 6 — Retention & Records Management

Step 11: Create Retention Policy

Path:

  • Data lifecycle management → Retention policies

📁 TEMPLATE: RETENTION POLICY

Policy Name: PHI Retention PolicyScope:
- Exchange mailboxes
- SharePoint sites
- OneDrive accountsRetention Settings:
- Retain content for 6 years (HIPAA baseline)
- Do not allow deletion during retention period
- Automatically delete after expiration (optional based on policy)Trigger:
- Date created OR last modified

Step 12: Retention Labels

Label Name: PHI RecordSettings:
- Retain for 6 years
- Mark as record (immutable)
- Require disposition review before deletion

Phase 7 — Monitoring & Alerts

Step 13: Configure Alerts

Path:

  • Alerts → Alert policies

🚨 TEMPLATE: ALERT POLICY

Alert Name: PHI Data ExfiltrationTrigger:
- DLP rule match (high severity)Conditions:
- External sharing
- Large data transferActions:
- Notify:
  - Security team
  - Compliance officer
- Severity: High

Phase 8 — Compliance Tracking

Step 14: Use Compliance Manager

Path:

  • Compliance Manager → Assessments

Action:

  • Select: HIPAA template

What you should see:

  • Compliance score
  • Improvement actions list

Phase 9 — Validation Checklist

Run this after deployment:

✅ Technical Validation

  • Audit logs enabled
  • PHI detected in Content Explorer
  • Labels applied automatically
  • DLP blocking external sharing
  • Endpoint restrictions working

✅ Compliance Validation

  • Retention policy active
  • Alerts triggering correctly
  • Compliance score tracked

📸 Screenshot Guide (What to Capture Internally)

For your documentation, capture:

  1. Compliance Portal dashboard
  2. Audit enabled screen
  3. Sensitive info types list
  4. Content Explorer results
  5. Label configuration page
  6. DLP rule editor
  7. Policy tip in Outlook
  8. Endpoint DLP settings
  9. Retention policy screen
  10. Compliance Manager dashboard

🧠 Pro Tips (From Real Deployments)

  • Start in audit-only mode for DLP before enforcing
  • Tune sensitivity thresholds to reduce false positives
  • Use auto-labeling carefully (test on small scope first)
  • Combine Purview with:
    • Conditional Access
    • MFA
    • Device compliance policies