docs: Cascades Microsoft BAA resolved — covered by MCA for Business plan subscribers

Gap #13 in hipaa.md marked resolved. Same update in hipaa-caregiver-controls.md and m365.md.
Confirmed 2026-05-14: no separate HIPAA BAA acceptance exists or is required for M365 Business
plan tenants under the Microsoft Customer Agreement.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-14 18:49:41 -07:00
parent 32f7dded88
commit 56f7a53bf4
3 changed files with 6 additions and 6 deletions

View File

@@ -154,7 +154,7 @@ If any of these become false, the architecture must be reviewed and either resto
These are independent gaps tracked elsewhere; they predate and are not introduced by this architecture:
- **Microsoft BAA not yet signed.** Required under §164.308(b)(1). Tracked in `docs/cloud/m365.md:288`.
- **Microsoft BAA — resolved 2026-05-14.** Covered automatically by the Microsoft Customer Agreement for Business plan subscribers. No separate acceptance required.
- **ALIS BAA not yet verified.** Required under §164.308(b)(1). Tracked in `docs/billing-log.md:254`.
Both must be in place before treating any of this as a complete HIPAA program.

View File

@@ -30,7 +30,7 @@ Cascades was taken over from a previous MSP that left the environment insecure a
| 11 | **ALIS browser access on shared PCs** | Medium | §164.312(d) — Person Authentication | Phase 5 (individual logins, no shared accounts) |
| 11b | **Caregiver shared-phone access — no MFA factor** | (compensating-controls architecture — see [`hipaa-caregiver-controls.md`](hipaa-caregiver-controls.md)) | §164.312(a)(1), §164.312(d), §164.306(b) | Live 2026-05-11 with pilot user `pilot.test`; staged caregiver rollout pending pilot SSO verify |
| 12 | **No BAA verified with ALIS** | Medium | §164.308(b)(1) — Business Associates | Verify with management |
| 13 | **No BAA with Microsoft (M365)** | Medium | §164.308(b)(1) — Business Associates | Sign Microsoft BAA via M365 admin |
| 13 | **Microsoft BAA — covered by MCA** | Resolved | §164.308(b)(1) — Business Associates | Microsoft HIPAA BAA is automatically included in the Microsoft Customer Agreement (MCA) for Business plan subscribers. No separate acceptance step exists or is required. Confirmed 2026-05-14. |
| 14 | **Sandra Fish still global admin** | Low | §164.308(a)(3) — Workforce Security | Create break-glass admin, remove Sandra |
| 15 | **No M365 backup** | Low | §164.308(a)(7) — Contingency Plan | Future — Veeam Backup for M365 |
@@ -85,12 +85,12 @@ Nurses/MedTechs (staff PCs)
| 24 | **RestrictAnonymous = 0** on CS-SERVER | Medium | §164.312(a)(1) — Access Control | Null sessions allowed |
| 25 | **Protected Users group empty** | Medium | §164.312(a)(1) — Access Control | Admin accounts not protected |
| 26 | **Share permissions: Everyone=FullControl** on multiple shares | Medium | §164.312(a)(1) — Access Control | Culinary, directoryshare, Roaming |
| 27 | **Microsoft Teams not deployed or HIPAA-configured** for staff | Medium | §164.312(e)(1) — Transmission Security + §164.308(b)(1) — Business Associates | Roll out Teams to all staff with HIPAA-appropriate controls: retention policies for chat/channel/meeting recordings, external sharing restrictions, DLP for PHI in messages, meeting recording consent, guest access disabled by default. Depends on Microsoft BAA (#13). |
| 27 | **Microsoft Teams not deployed or HIPAA-configured** for staff | Medium | §164.312(e)(1) — Transmission Security + §164.308(b)(1) — Business Associates | Roll out Teams to all staff with HIPAA-appropriate controls: retention policies for chat/channel/meeting recordings, external sharing restrictions, DLP for PHI in messages, meeting recording consent, guest access disabled by default. Microsoft BAA (#13) confirmed covered by MCA. |
## Quick Wins (Free, Can Do Now)
1. **Enable MFA on M365** — Security Defaults in Entra ID (free, takes 5 minutes)
2. **Sign Microsoft BAA** — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA
2. ~~**Sign Microsoft BAA**~~**RESOLVED 2026-05-14:** Covered automatically by Microsoft Customer Agreement for Business plan subscribers. No action needed.
3. **Verify ALIS BAA** — Ask management if they have a signed BAA with go-alis.com
4. **BitLocker GPO** — Enable via Security Baseline GPO once PCs are domain-joined (Phase 2.6)