docs: Cascades Microsoft BAA resolved — covered by MCA for Business plan subscribers
Gap #13 in hipaa.md marked resolved. Same update in hipaa-caregiver-controls.md and m365.md. Confirmed 2026-05-14: no separate HIPAA BAA acceptance exists or is required for M365 Business plan tenants under the Microsoft Customer Agreement. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -9,7 +9,7 @@
|
||||
- Global Admin: sysadmin@cascadestucson.com (Howard Enos, MSP)
|
||||
- Former Admin: admin@NETORGFT4257522.onmicrosoft.com (Sandra Fish — previous director, removed 2026-04-14: global admin revoked, sign-in blocked, P2 license removed)
|
||||
- DirSync / Entra Connect: **Not configured** (all accounts cloud-only) — **PLANNED: Install Entra Connect for SSO**
|
||||
- HIPAA BAA: **Not signed** — required since email may contain PHI
|
||||
- HIPAA BAA: **Covered by MCA** — Microsoft Customer Agreement automatically includes the HIPAA BAA for Business plan subscribers (confirmed 2026-05-14, no separate acceptance needed)
|
||||
- MFA: **Not enabled** — Security Defaults not configured
|
||||
|
||||
## Licensing
|
||||
@@ -285,7 +285,7 @@ Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account
|
||||
9. **Kristiana Dowse** — Licensed in M365 but not in AD. Verify: current employee or former?
|
||||
10. **nick pavloff** — Created 2026-03-07 (yesterday). New hire — needs AD account.
|
||||
11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email.
|
||||
12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA.
|
||||
12. **Microsoft BAA — covered by MCA (resolved 2026-05-14)** — Microsoft HIPAA BAA is automatically included in the Microsoft Customer Agreement for Business plan subscribers. No separate acceptance step is available or required for this subscription type.
|
||||
13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free).
|
||||
14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. **Rollout plan + test plan: `docs/cloud/teams-rollout.md`** (Lauren Hasselman 2026-05-05 inability-to-create-team report is the canary test).
|
||||
|
||||
|
||||
Reference in New Issue
Block a user