We recently had to provide information on the out-of-the-box features of MOSS 2007 that might help our customer satisfy the Health Insurance Portability and Accountability Act (HIPAA) requirements as they pertain to Electronic Protected Health Information (EPHI). The first step…search the Web…result…not much!

We are not HIPAA experts (if we were, we would be attorneys) but, with this posting and an adequate amount of research and the guidance of your organization’s HIPAA experts, perhaps you will be able to understand and explain what MOSS 2007 can bring to the table in the arena of HIPAA compliance. The HIPAA Security Rule outlines the standards and implementation specifications that are required for a company to become compliant.

NOTE: the Security Rule applies only to EPHI, while the Privacy Rule applies to PHI which may be in electronic, oral and paper form.

The HIPAA Security Rule outlines the requirements in five major sections:

• Administrative Safeguards

• Physical Safeguards

• Technical Safeguards

• Organizational Requirements

• Policies, Procedures and Documentation Requirements “ (Res. 2)

This post will we will narrow the focus of the Security Rule to a few key safeguards, and will demonstrate the MOSS features that provide organizations the capability to comply with the regulations. Specifically, we will address the following technical safeguards to electronically protect data and control access to the data:

1. Access Control: Unauthorized access to individually identifiable health records is strictly forbidden, so care must be taken on how records are accessed to prevent unauthorized access. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Four implementation specifications are associated with the Access Controls standard:

i. Unique User Identification (Required) – “Assign a unique name and/or number for identifying and tracking user identity.”

ii. Emergency Access Procedure (Required) – “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”

iii. Automatic Logoff (Addressable) – “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”

iv. Encryption and Decryption (Addressable) – “Implement a mechanism to encrypt and decrypt electronic protected health information.”

2. Audit Controls: This standard has no implementation specifications. The Audit Controls standard requires a covered entity to: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

3. Integrity: Protecting the integrity of EPHI is a primary goal of the Security Rule. The Integrity standard requires a covered entity to: “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.” There is one addressable implementation specification in the Integrity standard. i. Mechanism to Authenticate Electronic Protected Health Information (Addressable) – “Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”

4. Person or Entity Authentication: This standard has no implementation specifications it requires a covered entity to: “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” In general, authentication ensures that a person is in fact who he or she claims to be before being allowed access to EPHI. This is accomplished by providing proof of identity. There are a few basic ways to provide proof of identity for authentication. A covered entity may require something known only to that individual, such as a password or PIN, smart card, or biometric.

5. Secure Transmission: EPHI data should be encrypted and transmitted securely. This standard requires a covered entity to: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” This standard has two implementation specifications:

i. Integrity Controls (Addressable) – “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”

ii. Encryption (Addressable) – “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

6. ADDITIONAL (Not a HIPPA requirement) – Data Retention: Healthcare providers must retain health records (electronic, written and oral) for a minimum of 6-years in accordance with the HIPAA privacy final ruling.


Storing EPHI in SharePoint in a HIPAA-compliant manner is possible based on out-of-the-box capabilities of MOSS that are required to support compliance regulations, such as auditing, records management, data security and data integrity. However, some degree of development and customization may be necessary to ensure a regulation-compliant solution.

Figure 1 summarizes the ability of MOSS 2007 to meet the HIPPA technical safeguards.


1. Access Control: MOSS 2007 integrates seamlessly with Microsoft Active Directory (AD) to provide compliant access control for SharePoint sites, documents and list data.

i. Unique User Identification (Required) – Users are assigned a unique ID when their user account is created in AD. Duplicate IDs are prohibited within the same AD domain.

ii. Emergency Access Procedure (Required) – Procedures for obtaining necessary electronic protected health information during an emergency would need to be documented and implemented for the system

iii. Automatic Logoff (Addressable) – MOSS is installed on Internet Information Services (IIS) which provides an automatic connection timeout setting. If the client remains inactive for the specified period of time, the system will require the user to re-authenticate. However, MOSS uses integrated authentication and the browser is typically set to automatically pass credentials to the system thru the browser, this process is usually invisible to the end-user unless they were in the middle of adding or modifying data in the system. It is possible to restrict the browser from auto-authenticating but, this is not a preferred option. Instead the workstations should be configured to lockout and require a user password after a specified amount of idle time.

iv. Encryption and Decryption (Addressable) – IIS and therefore MOSS can be configured to use the Secure Sockets Layer (SSL) cryptographic protocol to provide security for communications over the network. The SQL database can also be encrypted using a number of 3rd party encryption tools.

2. Audit Controls: MOSS 2007 allows administrators to audit key events within document libraries and global events on a site, such as search, user changes, and changes in content types and columns. The underlying Windows SharePoint Services content database stores audit log events and provides access to the audit logs by using Microsoft Office Excel spreadsheets to simplify analysis, reporting, and exporting. MOSS 2007 also supports auditing extensibility by providing an audit log object model, which other applications and systems can use for custom analysis and reporting, or for custom auditing solutions built using the 2007 Office release. Windows SharePoint Services provides server-side auditing functionality (such as opening a file, checking out a file, and checking in a file) that Office system products use at the site level. To address auditing of client-side activities such as printing or creating different copies with Save As, developers can use the extensible architecture of the 2007 Office release. (Res. 3)

Additionally, there are 3rd party tools such as CardioLog, designed especially for SharePoint, that help provide insight and reporting for auditing with minimal customization required.

3. Integrity:

i. Mechanism to Authenticate Electronic Protected Health Information (Addressable) – MOSS provides both versioning for documents and list items as well as digital signatures for documents. Digital signatures are important to compliance as a way to provide assurance that reports are authentic and that approvals and signoffs are duly authorized by the appropriate decision maker or controller. A digital signature also improves efficiency by reducing reliance on paper while meeting regulatory requirements. The digital signature helps to assure that the content has not been changed or tampered with after it was digitally signed.

4. Person or Entity Authentication: MOSS 2007 requires the unique username and password of the user.

5. Secure Transmission:

i. Integrity Controls (Addressable) – Previously discussed in the Integrity Standard

ii. Encryption (Addressable) – Previously discussed in the Access Control Standard

6. ADDITIONAL – Data Retention: MOSS provides a Disposition Workflow that will notify document managers when a document has reached the maximum data retention schedule.

Again, we are not HIPAA experts, but we are interested in providing helpful information to the SharePoint 2007 community. If you have any experience or additional information, please feel free to post comments! Cheers!


1.  – U.S. Department of Health and Human Services, Centers for Medicare & Medicaid Services, Security 101 for Covered Entities

2.  – HIPAA Academy, HIPAA Security Rule Overview

3.  TechFAQ, What is HIPAA

4. HIPPA Security Series, Security Standards: Technical Safeguards

No Responses Yet to “MOSS 2007 AND HIPAA REGULATIONS”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: