Elevate Solutions
(888) 901-9686 Book a strategy call

HIPAAMicrosoft 365Healthcare

HIPAA and Microsoft 365: The Configuration Checklist Most Practices Miss

Elevate Solutions Security & IT Advisory Team 5 min read

A BAA does not configure your tenant

Microsoft will sign a Business Associate Agreement, but the BAA covers Microsoft's obligations — not your configuration. The gap is where breaches happen.

The settings practices miss

  • Audit logging enabled and retained for the full required period.
  • DLP policies scoped to PHI patterns (MRN, SSN, ICD codes).
  • Conditional Access blocking legacy auth and enforcing MFA on every account.
  • Sensitivity labels with encryption for records shared outside the practice.

How we approach it

We treat the M365 tenant as part of the compliance perimeter and maintain the evidence that an OCR investigator would ask for.

Talk to us about your firm.

Want help applying this to your environment? We advise regulated Los Angeles firms on exactly these decisions — without the hard sell.

Talk to us