HIPAA Microsoft 365 Security Checklist for Small Healthcare Practices
A practical checklist for dental, therapy, specialty, and medical practices reviewing Microsoft 365 security before a HIPAA risk analysis cycle.
Checklist for small healthcare practices reviewing Microsoft 365 identity, MFA, mail, sharing, device, backup, and vendor security settings that affect patient-data workflows.
- MFA and access
- Mail and sharing
- Backup and vendor coordination
User access and identity checklist
- MFA is enforced for every user with access to patient data or clinical systems.
- Admin accounts are separate from clinical user accounts — no one reads patient email from a Global Admin login.
- Offboarding removes access within 24 hours of a staff member's last day.
- Shared or generic accounts are eliminated — each person has their own login.
- Service accounts for EHR, billing, scheduling, and scanning applications are documented.
- Guest users and external consultants access the tenant only through approved, time-limited invitations.
Core Checklist Areas
Device and endpoint checklist
- Clinical workstations and laptops that access patient data are encrypted.
- Screen lock timeout is enforced on shared workstations and mobile devices.
- Endpoint protection (Defender for Endpoint or equivalent) is deployed on all devices.
- Local admin rights are removed from clinical users.
- Stale devices from departed staff are removed from device inventory.
- Personal devices that access practice email or files pass a conditional access check.
Backup and recovery checklist
- Exchange Online, SharePoint, Teams, and OneDrive data is backed up to a third-party Microsoft 365 backup service.
- Backup scope covers the patient and clinical records the practice cannot afford to lose.
- Restore tests happen at least quarterly and results are documented.
- Backup recovery time and recovery point expectations are written down.
- EHR backups are verified separately from Microsoft 365 backups.
- Backup and recovery owners are named and can be reached during an incident.
Documentation, Evidence, And Remediation Rhythm
Secure the everyday systems that handle patient data
Small healthcare practices run on Microsoft 365 — email, calendar, document sharing, Teams calls with staff, and files stored in SharePoint and OneDrive. When those systems hold or transmit patient information, the practice needs practical controls that can be explained during a HIPAA risk analysis, security questionnaire, or compliance review.
This checklist helps dental offices, therapy practices, specialty clinics, and small medical groups review their Microsoft 365 security posture: user access, MFA, admin roles, sharing controls, device protection, backup, and vendor coordination. Each item should connect to the staff members who own the workflows, the IT provider who manages the tenant, and the compliance advisor who reviews the documentation.
No single tool makes a practice HIPAA-compliant, but a poorly configured Microsoft 365 tenant is one of the most common security gaps that can be fixed without enterprise spending.
Quick answer
This checklist helps small healthcare practices review Microsoft 365 identity, mail, file sharing, device, backup, and vendor security settings that affect patient-data workflows. BCT can help implement the cleanup and keep the tenant documented for risk analysis and compliance review cycles.
Common Gaps And Guardrails
Secure the everyday systems that handle patient data
Small healthcare practices run on Microsoft 365 — email, calendar, document sharing, Teams calls with staff, and files stored in SharePoint and OneDrive. When those systems hold or transmit patient information, the practice needs practical controls that can be explained during a HIPAA risk analysis, security questionnaire, or compliance review.
This checklist helps dental offices, therapy practices, specialty clinics, and small medical groups review their Microsoft 365 security posture: user access, MFA, admin roles, sharing controls, device protection, backup, and vendor coordination. Each item should connect to the staff members who own the workflows, the IT provider who manages the tenant, and the compliance advisor who reviews the documentation.
No single tool makes a practice HIPAA-compliant, but a poorly configured Microsoft 365 tenant is one of the most common security gaps that can be fixed without enterprise spending.
FAQ
Is this a substitute for an assessor or compliance advisor?
No. This is an IT-readiness and evidence organization guide. Formal interpretation and assessment decisions should be handled with the appropriate advisor or assessor.
What should the owner review first?
Start with scope, systems, users, administrators, backups, endpoints, and the evidence that proves controls are operating. A tool list without owners and records is not enough.
Can BCT help after the checklist is finished?
Yes. BCT can help turn checklist gaps into Microsoft 365, Azure, endpoint, backup, network, and documentation tasks with owners and dates.
What is the next step?
Send the current CMMC Level 2 checklist status to BCT and ask for a practical readiness review.
Next step:
Use the checklist to organize what is known, identify gaps, and decide which actions need owners and dates.
Request help turning this checklist into a supportable action plan.
Turn This Checklist Into An Action Plan
Useful next pages for this readiness path
Useful next pages:
SOC 2 Compliance for Professional Services: The Complete Guide
Law firms, accounting practices, and consulting agencies operate at the center of their clients’ trust. Financial records, legal strategies, tax planning—.
Security Compliance for SaaS Startups: From MVP to Enterprise
You’ve built something remarkable. Your SaaS product solves a real problem. Users love it. You’re growing fast. And then you get the email from your first.
HIPAA Compliance for Healthcare Practices: What You Need to Know
Healthcare practices are increasingly targeted by cybercriminals, and a patient-data incident can create regulatory, legal, operational, and reputational.
Cloud Migration & Transformation: Your Complete Roadmap
Cloud Migration & Transformation: Your Complete Roadmap
Cloud transformation is no longer optional—it’s essential for competitive advantage. This guide wa
Managed IT Support: The Complete Business Guide
Managed IT Support: The Complete Business Guide
Managed IT Services (MSP) have transformed how businesses handle technology. Learn how managed IT support ca
Complete Guide to IT Security for Small Businesses
Complete Guide to IT Security for Small Businesses
Small businesses are increasingly targeted by cybercriminals. This comprehensive guide covers everything