docs: Cascades Microsoft BAA resolved — covered by MCA for Business plan subscribers

Gap #13 in hipaa.md marked resolved. Same update in hipaa-caregiver-controls.md and m365.md.
Confirmed 2026-05-14: no separate HIPAA BAA acceptance exists or is required for M365 Business
plan tenants under the Microsoft Customer Agreement.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-14 18:49:41 -07:00
parent 32f7dded88
commit 56f7a53bf4
3 changed files with 6 additions and 6 deletions

View File

@@ -9,7 +9,7 @@
- Global Admin: sysadmin@cascadestucson.com (Howard Enos, MSP)
- Former Admin: admin@NETORGFT4257522.onmicrosoft.com (Sandra Fish — previous director, removed 2026-04-14: global admin revoked, sign-in blocked, P2 license removed)
- DirSync / Entra Connect: **Not configured** (all accounts cloud-only) — **PLANNED: Install Entra Connect for SSO**
- HIPAA BAA: **Not signed** — required since email may contain PHI
- HIPAA BAA: **Covered by MCA** — Microsoft Customer Agreement automatically includes the HIPAA BAA for Business plan subscribers (confirmed 2026-05-14, no separate acceptance needed)
- MFA: **Not enabled** — Security Defaults not configured
## Licensing
@@ -285,7 +285,7 @@ Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account
9. **Kristiana Dowse** — Licensed in M365 but not in AD. Verify: current employee or former?
10. **nick pavloff** — Created 2026-03-07 (yesterday). New hire — needs AD account.
11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email.
12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA.
12. **Microsoft BAA — covered by MCA (resolved 2026-05-14)** — Microsoft HIPAA BAA is automatically included in the Microsoft Customer Agreement for Business plan subscribers. No separate acceptance step is available or required for this subscription type.
13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free).
14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. **Rollout plan + test plan: `docs/cloud/teams-rollout.md`** (Lauren Hasselman 2026-05-05 inability-to-create-team report is the canary test).