docs(cascades): track Teams HIPAA rollout as new gap
Added Teams deployment + HIPAA-appropriate configuration as a tracked gap (hipaa.md #27) and M365 issue (m365.md #14). Cites transmission security + BAA requirements and outlines controls needed (retention, DLP, external sharing lockdown, guest access, meeting consent). Dependency on Microsoft BAA flagged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -287,6 +287,7 @@ Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account
|
||||
11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email.
|
||||
12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA.
|
||||
13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free).
|
||||
14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first.
|
||||
|
||||
## Notes
|
||||
|
||||
|
||||
Reference in New Issue
Block a user