Tier B · can be used in your compliance program

HIPAA-aligned document management on Microsoft 365

Controlled access, documented handling, and full audit trail for PHI-adjacent documentation.

The product provides document-governance capabilities — controlled access, complete audit log, template-driven approval, expiration reminders, archive — that customers can use as part of their HIPAA document-management program. It runs on Microsoft 365, inside the tenant, and is not positioned as a certified HIPAA solution. Your compliance team should verify fit with your specific HIPAA obligations.

Book a free assessment

What HIPAA asks from document management

HIPAA's Security Rule (45 CFR §§ 164.302–318) and Privacy Rule are primarily concerned with the protection of Protected Health Information (PHI). They don't prescribe a specific document-management product. What they do prescribe is that a covered entity or business associate maintain documented policies and procedures, review them periodically, and apply administrative, physical, and technical safeguards — all of which generate a body of documented information that itself needs to be governed.

For documents that are adjacent to PHI — security policies, access-control procedures, training materials, breach-response runbooks, workforce sanction policies — HIPAA expects:

Controlled access (§164.308(a)(4), §164.312(a)(1)) — only workforce members who need the document can reach it.
Documented handling procedures (§164.316) — how covered entities handle the documented information itself.
Periodic review (§164.308(a)(8), §164.316(b)(2)(iii)) — policies and procedures must be reviewed and updated "as needed."
Retention (§164.316(b)(2)(i)) — policies and procedures must be retained for six years from the date of their creation or the date when they were last in effect, whichever is later.
Auditable trail — implicit in the broader administrative-safeguards and audit-controls requirements.

docs365.ai provides capabilities that customers use to operationalize each of these expectations.

How the product's capabilities map to HIPAA document needs

Controlled access

HIPAA expects: workforce members have access to PHI-adjacent documentation only to the extent needed for their role.

Product capability: SharePoint permissions, per-document and per-library granularity. Each Document Management area is configured with its own permission set. Sensitive document types (e.g. the Security Rule risk assessment) can have tighter scopes than broader policies. Permissions are governed by the customer's existing Entra (Azure AD) identity model — no parallel access system.

Documented handling

HIPAA expects: the covered entity maintains documented policies and procedures and the actions, activities, or assessments performed under them.

Product capability: templates ensure every policy and procedure starts from a consistent structure. Sequential approval with role-based routing creates a documented approval process. The audit log records every action on every document — the very documentation of document-handling that §164.316 asks for.

Periodic review

HIPAA expects: policies and procedures are reviewed periodically and updated in response to environmental or operational changes.

Product capability: expiration reminders trigger an automatic email to the document's owner before the expiration date, prompting review. Every re-approval cycle is captured in the audit log — so the evidence that periodic review occurred is intrinsic to the system, not a separate tracking spreadsheet.

Retention

HIPAA expects: six years of retention of policies, procedures, and action records.

Product capability: archive preserves superseded documents without deleting them. Versioning preserves every prior version of every document. Retention periods are enforced by SharePoint's native retention features (and, at the tenant level, by Microsoft Purview retention policies, which apply to all content in the tenant).

Auditable trail

HIPAA expects: ability to demonstrate how documentation has been controlled.

Product capability: the audit log, tied to named Entra users, captures every edit, approval, rejection, publication, and archive event with timestamps. Exportable. Reviewable from the document's own context menu. Power BI reporting (on higher tiers) aggregates the audit evidence into dashboards suitable for internal or external review.

What Microsoft 365 already gives you (and why this matters for HIPAA)

Microsoft 365 is HIPAA-aligned at the platform level. Microsoft signs a Business Associate Agreement (BAA) with customers, operates under published attestations, and applies the administrative, physical, and technical safeguards required for the underlying infrastructure. For healthcare organizations that have already evaluated and accepted Microsoft 365 as a covered-entity-or-business-associate environment, the product inherits that foundation.

The product does not introduce a new data boundary. Documents managed by the product sit in the customer's existing SharePoint Online tenant. There is no new sub-processor relationship to evaluate, no new BAA to negotiate with intranet.ai beyond the standard software-provider agreement.

This is the quiet HIPAA argument for a Microsoft-365-native DMS. The platform layer is already addressed; the product layer adds the document-control discipline on top.

Logo

Centro Diagnostico Italiano

Customer story

"If tomorrow you had to demonstrate the complete evolution of a clinical procedure over the last two years — every modification, every approval, every signature — could you do it in ten minutes?"

— Compliance Officer — Centro Diagnostico Italiano

Read the full Centro Diagnostico Italiano story

A healthcare compliance officer's workflow

Consider the six-month review of a workforce-security policy at a medium-sized healthcare provider. In a typical organization without a DMS discipline, this review happens when somebody notices the policy is out of date — often in response to an incident or an auditor question. With docs365.ai:

Two weeks before the expiration date, the system sends the policy's owner (the Privacy Officer, configured as the owner at creation) an automatic email. The email references the policy's name, protocol code, and current version, and links to the document.
The Privacy Officer reviews the policy alongside the changes in environment since the last review — new systems, new workforce roles, recent incidents, changes in regulation. She drafts a new minor version (0.1 → 0.2 → 0.3…) in Word Online, with her CISO commenting in-line.
When ready, she launches the approval flow. Sequential: CISO as reviewer, General Counsel as reviewer, CEO as final approver. The flow is automatic. Each approver receives email, reviews, approves. The audit log captures every step.
Publication. The approved PDF lands in the public area of the security-policy library. The prior version (1.2) is archived. The new version (2.0) is the canonical one every workforce member sees.
Read-receipts (optional, via the sister product) — the Privacy Officer sends a read-acknowledgment request to every workforce member, tracks completion, produces a compliance report.

What the audit evidence captures: the full evolution of the policy from the prior version to the new one, every approval, every reviewer's role, the exact date of publication, and — if read-receipts are used — every acknowledgment.

This is the kind of workflow that, six months later when an OCR inquiry arrives, produces the evidence in hours, not weeks.

A customer story

Centro Diagnostico Italiano uses the product to reconstruct the complete evolution of any clinical procedure on demand — every modification, every approval, every signature, and who is in charge of renewal. In a regulated medical-diagnostics environment, that reconstruction capability is not a convenience; it's an obligation. CDI's compliance team owns the HIPAA posture for their organization; the product provides the document-governance capabilities they use.

Read the CDI story →

What the customer still owns under HIPAA

The product is a document-management tool. The customer's HIPAA program — the Business Associate Agreements, the risk analysis under §164.308(a)(1)(ii)(A), the workforce training and sanctions, the incident response, the breach determination and notification, the Privacy Rule administrative safeguards — belong to the customer.

What we're saying: for the document-management portion of the HIPAA program, the product is built to give you a defensible library without introducing a new sub-processor or a parallel platform. Your compliance team verifies that the specific controls we provide fit your specific HIPAA program.

FAQ

Does the product sign a Business Associate Agreement? intranet.ai as a software provider does not typically act as a business associate because we don't access customer documents in the course of providing software. The BAA that matters for HIPAA is the one you already have with Microsoft for Microsoft 365 — that covers the platform where documents actually live. If your organization requires a BAA with intranet.ai for specific reasons, reach out and we can discuss terms.

Is the product HIPAA certified? HIPAA doesn't have a certification scheme in the way ISO 27001 does. There are third-party assessments and audits against HIPAA requirements, but no official HIPAA "certification." What matters in practice is whether the system supports the covered entity's ability to meet its HIPAA obligations. The product provides capabilities that healthcare customers use as part of their HIPAA programs.

Can I use this for Privacy Rule documentation (Notices of Privacy Practices, authorization forms)? Yes — the same document-governance lifecycle applies. Templates, approval, versioning, retention, audit. The Privacy Rule's six-year retention requirement is met by the archive function combined with SharePoint's retention.

What about HIPAA Security Rule risk analysis (§164.308(a)(1)(ii)(A))? The risk analysis itself is a document that benefits from the product's lifecycle — templates for consistency, approval for accountability, expiration reminders for annual re-analysis, audit log for evidence. The analysis work itself is conducted by the customer's security team.

Is this OK for HIPAA covered entities AND business associates? Yes — both operate under the same document-management expectations. Business associates typically have tighter BAA-driven documentation obligations, which the product's audit log supports well.

Healthcare industry page → — applied to clinical procedures, policies, surveyor readiness.
Microsoft 365 as a compliance platform → — how the HIPAA BAA from Microsoft combines with our audit capabilities.
Audit log → — feature detail.
How governance works →.

Ready to align your HIPAA documentation?

Thirty minutes. No cost. No obligation. We'll walk through your current library and identify where this product would change the evidence shape.

Book a free assessment or see all compliance pages