What the customer owns under HIPAA
The product is a document-management tool. Your organization owns:
- The Business Associate Agreement with Microsoft for the underlying M365 platform.
- The Security Rule risk analysis and the resulting safeguards.
- Workforce training and sanctions.
- Breach determination and notification.
- All Privacy Rule administrative activities.
- The HIPAA fit assessment for this specific product in your environment.
What we provide is a disciplined library for the documented information your HIPAA program generates — policies, procedures, DPIAs, incident-response plans, training materials. The documentation layer, done well, inside the same Microsoft 365 tenant the rest of your organization already operates in.
HIPAA §164 — document-control capability mapping
The HIPAA Security Rule §164.316 and the Administrative Safeguard provisions set specific documentation obligations. Here is how the product's capabilities map to each requirement:
§164.316 — Policies and procedures
| Requirement |
Product capability |
| §164.316(a) — Implement reasonable and appropriate policies and procedures |
Template-driven document creation; mandatory metadata per policy type; approval workflow enforces review before publication |
| §164.316(b)(1) — Maintain written policies and procedures |
Version-controlled document library; every revision tracked with author, date, and change reason |
| §164.316(b)(1)(ii) — Retain documentation for six years from date of creation or last effective date |
Retention policy per document type; archive flag; in-place hold via M365 retention |
| §164.316(b)(2)(i) — Make documentation available to those responsible for implementing procedures |
Role-based access; published documents automatically surfaced to the correct workforce segment |
| §164.316(b)(2)(iii) — Review documentation periodically and update as needed |
Expiration date per document; automated reminder workflow; review-cycle audit trail |
§164.312 — Technical safeguards (document-layer relevant)
| Requirement |
Product capability |
| §164.312(a)(1) — Access control: assign a unique name and/or number to each user |
Azure AD identity; each user action in the audit log is tied to a unique UPN |
| §164.312(a)(2)(i) — Unique user identification |
Inherited from Azure AD; no shared accounts possible |
| §164.312(b) — Audit controls: record and examine activity in information systems |
Immutable SharePoint audit log; exportable to SIEM; every document open, edit, approve, sign event logged with UTC timestamp |
| §164.312(c)(1) — Integrity: protect ePHI from improper alteration or destruction |
Version history; post-publication lock; in-place hold prevents deletion |
| §164.312(e)(2)(ii) — Encryption and decryption of ePHI |
Microsoft 365 encryption at rest (AES-256) and in transit (TLS 1.2+); managed by Microsoft BAA |
Accreditation and payer-contract documentation
Beyond HIPAA, healthcare organizations carrying Joint Commission, DNV, or HFAP accreditation face additional documented-information expectations:
| Standard |
What auditors look for |
Product capability |
| Joint Commission RC.01.01.01 |
Policies define who can enter and authenticate medical record entries |
Access-control configuration; approval-chain records show authorized authors per document type |
| Joint Commission RC.02.01.01 |
Medical record contains specific required documentation |
Policy library with classification metadata; mandatory fields enforced by template |
| HFAP Standard 3.01 |
Documented evidence that policies are reviewed and current |
Review-cycle audit trail; expiration dashboard; reviewer/approver captured in document metadata |
| Payer contracts |
Documentation of clinical protocols used in billing |
Published-protocol version at any past date; export of approval evidence on demand |
Healthcare-specific FAQ
Does docs365.ai sign a BAA? docs365.ai as a software provider doesn't typically act as a business associate because we don't access customer documents. The BAA that matters for HIPAA is the one between you and Microsoft for M365 — that covers the platform where documents actually live. If your organization requires a BAA with docs365.ai for specific reasons, talk to us during the assessment.
Is this HIPAA-certified? HIPAA has no product-certification scheme. What matters is whether the system supports your ability to meet your HIPAA obligations. The product provides capabilities healthcare customers use as part of their HIPAA programs; adequacy is determined by your compliance team.
Can I use this for Notices of Privacy Practices? Yes — the same document-governance lifecycle applies. Templates, sequential approval, versioning, retention, audit log. The Privacy Rule's six-year retention requirement is met by the archive function combined with M365 retention.
What about HITRUST or SOC 2? Those are frameworks the healthcare organization certifies against, not product-level certifications we make. The product's audit log, versioning, and access controls produce the kind of evidence HITRUST and SOC 2 assessors typically work with for the documented-information portions of those frameworks.
Does it handle PHI directly? The product is a document-management layer. Documents it manages may contain PHI, but that PHI sits inside SharePoint Online in your tenant — under Microsoft's BAA, not a separate docs365.ai data path. We recommend applying appropriate classification metadata and access scoping to any document that contains PHI.
Related
