azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(cascades): track Teams HIPAA rollout as new gap

Browse Source 
Added Teams deployment + HIPAA-appropriate configuration as a tracked
gap (hipaa.md #27) and M365 issue (m365.md #14). Cites transmission
security + BAA requirements and outlines controls needed (retention,
DLP, external sharing lockdown, guest access, meeting consent).
Dependency on Microsoft BAA flagged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-22 14:16:02 -07:00
parent 96ad4b7059
commit 223dc861c2
2 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
clients/cascades-tucson/docs/cloud/m365.md
View File

@@ -287,6 +287,7 @@ Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account
11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email.
12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA.
13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free).
14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first.
## Notes

1
clients/cascades-tucson/docs/security/hipaa.md
View File

@@ -84,6 +84,7 @@ Nurses/MedTechs (staff PCs)
| 24 | **RestrictAnonymous = 0** on CS-SERVER | Medium | §164.312(a)(1) — Access Control | Null sessions allowed |
| 25 | **Protected Users group empty** | Medium | §164.312(a)(1) — Access Control | Admin accounts not protected |
| 26 | **Share permissions: Everyone=FullControl** on multiple shares | Medium | §164.312(a)(1) — Access Control | Culinary, directoryshare, Roaming |
| 27 | **Microsoft Teams not deployed or HIPAA-configured** for staff | Medium | §164.312(e)(1) — Transmission Security + §164.308(b)(1) — Business Associates | Roll out Teams to all staff with HIPAA-appropriate controls: retention policies for chat/channel/meeting recordings, external sharing restrictions, DLP for PHI in messages, meeting recording consent, guest access disabled by default. Depends on Microsoft BAA (#13). |
## Quick Wins (Free, Can Do Now)