How to Block Sharing of Medical Information in Compliance with HIPAA Using DLP Policies in Microsoft Purview

Leave a Comment / Data Loss Prevention / By

Block Sharing of Medical Information Using DLP Policies in Microsoft Purview

In healthcare organizations, ensuring the privacy and security of medical information is crucial for HIPAA (Health Insurance Portability and Accountability Act) compliance. Microsoft Purview provides a robust way to enforce data protection policies to help organizations prevent the unauthorized sharing of sensitive health data. Here’s a practical example of how to create a DLP (Data Loss Prevention) policy to stop the sharing of medical information and ensure compliance with HIPAA:

Step-by-Step Guide to Creating a HIPAA-Compliant DLP Policy in Microsoft Purview

Log in to Microsoft Purview with your admin credentials. In the left-hand pane, click Solutions and click on Data Loss Prevention, as shown in the screenshot below.

Click on Policies in the top menu and select Create Policy.

For All countries and regions, select the United States of America. Click on Medical and health under Categories and select U.S Health Insurance Act (HIPAA) Enhanced under Regulations. Click on the Next button to proceed.

You can rename the policy if you like or leave it as is.

You can select the Admin units to assign the policy to based on your needs. I will leave it as default for this example. Click the Next button.

Select the locations where the policy should be applied. For this example, I will choose Exchange email, OneDrive accounts, SharePoint sites, Teams chat and channel messages, and Devices. You can apply the policy across all locations or specific ones, depending on your needs. Click on the Next button.

You have the option to Review and customize default settings from the template or Create or customize advanced DLP rules. I will select Review and customize default settings from the template as shown below. Click on the Next button.

This policy will protect content that matches the conditions listed below.

U.S. Social Security Number (SSN)

Drug Enforcement Agency (DEA) Number

U.S. Physical Addresses

International Classification of Diseases (ICD-9-CM)

International Classification of Diseases (ICD-10-CM)

All Medical Terms And Conditions

All Full Names

Business – Healthcare

Employee Insurance Files

Health/Medical Forms

Click on the edit to review them and make any necessary modifications. For example, you can edit the conditions to detect additional sensitive information or content with specific sensitivity or retention labels. I will leave it as default. Click on the Next button.

Decide what actions should be taken when content matches the policy conditions. Do you want to receive the incident report in the email or alerts? Use policy tips notifications to inform your users and help educate them on how to use sensitive information properly. Click on the Next button.

Customize access and override settings. You have the option to choose what you want users to be able to share. You can also decide if you want to give users override permission. By default, users are blocked from sending email and Teams chats and channel messages that contain the type of information you’re protecting. I will leave it as default. Click on the Save button.

It is important to run your policy in simulation mode to test the policy before turning it on in a production environment. Choose Run the policy in simulation mode. Click on the Next button.

Review your policy and click on the Submit button.

The policy was created successfully, as shown in the screenshot below.

How to Turn Data Loss Prevention (DLP) Policy on in Microsoft Purview

To turn the policy on, click on the policy. For this example, I created a data loss prevention DLP policy named Block Sharing of Medical Information (HIPAA). Click on View Simulation.

Click on the Turn the policy on as shown below.

Click on Confirm.

How to Configure Custom DLP Policy in Microsoft Purview

Click Solutions and click on Data Loss Prevention, as shown below.

Click on Policies in the top menu and select Create Policy.

For All countries and regions, select the United States of America. Click on Custom under Categories, and select Custom Policy under Regulations. Click on the Next button.

Give your policy a descriptive name for easy identification later.

You have the option to choose the Admin Unit to which the policy will be assigned. I will leave it as default. Click on the Next button. Select locations to apply the policy. I want the policy to apply to Exchange email and SharePoint sites.

Click on the edit to specify groups or exclude groups.

To include specific groups, click on Specific groups, under Included, click on Included groups, and select the group to include. For example, All Users. To exclude groups, check the box next to Exclude Groups to select it. Click on Excluded > Exclude groups, select the group you would like to exclude, for example, the IT group, and click Done. I will leave it as default for this example. Click the Next button.

Select Create or Customize advanced DLP rules.

Click on Create rule.

Give your policy rule a descriptive name. Under Conditions, click on +Add condition, and select Content contains. Give it a descriptive name. Click on +Add and select Sensitive Info types. For this example, I will select the Sensitive info type created previously. Click here to learn how to create a Sensitive info type. Select your sensitive info type.

Click on Add an action and select Restrict access or encrypt the content in Microsoft 365 locations. Choose what should happen when the conditions are met. For this example, I will choose Block everyone, as shown below.

Turn user notification on. Use notifications to inform your users and help educate them on the proper use of sensitive info.

Select who will be notified based on your organization and click on the Save button.

Decide if you want to receive alerts when conditions are met and how often. Decide who the alert should go to and through what medium based on your organization’s needs, and click on the Save button.

The custom rule was created successfully and turned on. Click on the Next button.

It is important to run the policy in simulation mode to test your policy before turning it on in a production environment. This is my lab tenant, so I will turn the policy on immediately for this example. If you want, you can select Run the policy in simulation mode to test it before turning it on. To learn how to turn the policy on later, scroll up to the previous example where I showed the step-by-step.

Review your policy and click on the Submit button.

The policy was created successfully, as shown in the screenshots below. Next, we are going to test the effectiveness of the policy.

Testing the Effectiveness of the Policy

I will try to send emails, including some of the keywords, to both internal and external email addresses.

Testing with the internal user. The screenshot below shows the policy tip I received.

I tried to send the email anyway, and the email was blocked, as shown below.

Testing with the external email address. The screenshot below shows the policy tip I received.

I tried to send the email anyway, and the email was blocked, as shown below. This shows that the policy was effective.

This policy will ensure that healthcare employees cannot accidentally email or upload patient records containing sensitive health information to SharePoint or OneDrive without proper authorization, ensuring HIPAA compliance.

Monitor and Audit

Use Data Explorer to ensure that your sensitive medical data is continuously monitored. Microsoft Purview provides detailed auditing and reporting capabilities that let you track access and usage of sensitive medical information. Here, you can find detailed reports, including the user who violated the policy and the policy content matches.

How to Navigate to Data Explorer in Microsoft Purview

Click on Data Loss Prevention > Explorer > Data Explorer. Click on the location (for example, exchange) for more information.

Review the report to ensure that sensitive data is being properly handled and protected. Adjust your policies as needed.

    Best Practices for HIPAA Compliance with DLP Policies

    • Regularly Review and Update Policies: Ensure your DLP policies are up to date with evolving HIPAA regulations and emerging security risks.
    • Test Policies Before Enforcing: Implement the policy in a monitor-only mode initially to identify any issues and avoid disruptions to daily operations.
    • Train Employees: Ensure that healthcare professionals understand HIPAA requirements and the importance of protecting patient information.
    • Customize Actions Based on Severity: Consider implementing different actions based on the severity of the violation. For example, blocking actions for high-severity violations but providing warnings for minor infractions.

    Conclusion

    Creating a DLP policy in Microsoft Purview for HIPAA compliance is an essential step in protecting sensitive medical information. By leveraging the DLP policy, organizations can prevent the unauthorized sharing of patient data, ensuring they meet HIPAA standards. Whether you create DLP policies manually or leverage the built-in templates, Microsoft Purview enables healthcare organizations to effectively safeguard sensitive health data and avoid potential penalties for non-compliance.

    About The Author

    Rachel Jasurda

    Hi, my name is Rachel; I’m a Cybersecurity Specialist and the founder of Cybersecurity Demystify. I enjoy learning and love helping others learn the easy way. Happy Learning!

    See author's posts

    Leave a Comment

    Your email address will not be published. Required fields are marked *


    Contact
    Contact

    Terms and Conditions - Privacy Policy

    CHAT