docs: Cascades Microsoft BAA resolved — covered by MCA for Business plan subscribers

Gap #13 in hipaa.md marked resolved. Same update in hipaa-caregiver-controls.md and m365.md. Confirmed 2026-05-14: no separate HIPAA BAA acceptance exists or is required for M365 Business plan tenants under the Microsoft Customer Agreement. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 18:49:41 -07:00
parent 32f7dded88
commit 56f7a53bf4
3 changed files with 6 additions and 6 deletions
--- a/clients/cascades-tucson/docs/cloud/m365.md
+++ b/clients/cascades-tucson/docs/cloud/m365.md
@@ -9,7 +9,7 @@
 - Global Admin: sysadmin@cascadestucson.com (Howard Enos, MSP)
 - Former Admin: admin@NETORGFT4257522.onmicrosoft.com (Sandra Fish — previous director, removed 2026-04-14: global admin revoked, sign-in blocked, P2 license removed)
 - DirSync / Entra Connect: **Not configured** (all accounts cloud-only) — **PLANNED: Install Entra Connect for SSO**
- HIPAA BAA: **Not signed** — required since email may contain PHI
+- HIPAA BAA: **Covered by MCA** — Microsoft Customer Agreement automatically includes the HIPAA BAA for Business plan subscribers (confirmed 2026-05-14, no separate acceptance needed)
 - MFA: **Not enabled** — Security Defaults not configured
 ## Licensing
@@ -285,7 +285,7 @@ Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account
 9. **Kristiana Dowse** — Licensed in M365 but not in AD. Verify: current employee or former?
 10. **nick pavloff** — Created 2026-03-07 (yesterday). New hire — needs AD account.
 11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email.
-12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA.
+12. **Microsoft BAA — covered by MCA (resolved 2026-05-14)** — Microsoft HIPAA BAA is automatically included in the Microsoft Customer Agreement for Business plan subscribers. No separate acceptance step is available or required for this subscription type.
 13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free).
 14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. **Rollout plan + test plan: `docs/cloud/teams-rollout.md`** (Lauren Hasselman 2026-05-05 inability-to-create-team report is the canary test).
--- a/clients/cascades-tucson/docs/security/hipaa-caregiver-controls.md
+++ b/clients/cascades-tucson/docs/security/hipaa-caregiver-controls.md
@@ -154,7 +154,7 @@ If any of these become false, the architecture must be reviewed and either resto
 These are independent gaps tracked elsewhere; they predate and are not introduced by this architecture:
- **Microsoft BAA not yet signed.** Required under §164.308(b)(1). Tracked in `docs/cloud/m365.md:288`.
+- **Microsoft BAA — resolved 2026-05-14.** Covered automatically by the Microsoft Customer Agreement for Business plan subscribers. No separate acceptance required.
 - **ALIS BAA not yet verified.** Required under §164.308(b)(1). Tracked in `docs/billing-log.md:254`.
 Both must be in place before treating any of this as a complete HIPAA program.
--- a/clients/cascades-tucson/docs/security/hipaa.md
+++ b/clients/cascades-tucson/docs/security/hipaa.md
@@ -30,7 +30,7 @@ Cascades was taken over from a previous MSP that left the environment insecure a
 | 11 | **ALIS browser access on shared PCs** | Medium | §164.312(d) — Person Authentication | Phase 5 (individual logins, no shared accounts) |
 | 11b | **Caregiver shared-phone access — no MFA factor** | (compensating-controls architecture — see [`hipaa-caregiver-controls.md`](hipaa-caregiver-controls.md)) | §164.312(a)(1), §164.312(d), §164.306(b) | Live 2026-05-11 with pilot user `pilot.test`; staged caregiver rollout pending pilot SSO verify |
 | 12 | **No BAA verified with ALIS** | Medium | §164.308(b)(1) — Business Associates | Verify with management |
-| 13 | **No BAA with Microsoft (M365)** | Medium | §164.308(b)(1) — Business Associates | Sign Microsoft BAA via M365 admin |
+| 13 | **Microsoft BAA — covered by MCA** | Resolved | §164.308(b)(1) — Business Associates | Microsoft HIPAA BAA is automatically included in the Microsoft Customer Agreement (MCA) for Business plan subscribers. No separate acceptance step exists or is required. Confirmed 2026-05-14. |
 | 14 | **Sandra Fish still global admin** | Low | §164.308(a)(3) — Workforce Security | Create break-glass admin, remove Sandra |
 | 15 | **No M365 backup** | Low | §164.308(a)(7) — Contingency Plan | Future — Veeam Backup for M365 |
@@ -85,12 +85,12 @@ Nurses/MedTechs (staff PCs)
 | 24 | **RestrictAnonymous = 0** on CS-SERVER | Medium | §164.312(a)(1) — Access Control | Null sessions allowed |
 | 25 | **Protected Users group empty** | Medium | §164.312(a)(1) — Access Control | Admin accounts not protected |
 | 26 | **Share permissions: Everyone=FullControl** on multiple shares | Medium | §164.312(a)(1) — Access Control | Culinary, directoryshare, Roaming |
-| 27 | **Microsoft Teams not deployed or HIPAA-configured** for staff | Medium | §164.312(e)(1) — Transmission Security + §164.308(b)(1) — Business Associates | Roll out Teams to all staff with HIPAA-appropriate controls: retention policies for chat/channel/meeting recordings, external sharing restrictions, DLP for PHI in messages, meeting recording consent, guest access disabled by default. Depends on Microsoft BAA (#13). |
+| 27 | **Microsoft Teams not deployed or HIPAA-configured** for staff | Medium | §164.312(e)(1) — Transmission Security + §164.308(b)(1) — Business Associates | Roll out Teams to all staff with HIPAA-appropriate controls: retention policies for chat/channel/meeting recordings, external sharing restrictions, DLP for PHI in messages, meeting recording consent, guest access disabled by default. Microsoft BAA (#13) confirmed covered by MCA. |
 ## Quick Wins (Free, Can Do Now)
 1. **Enable MFA on M365** — Security Defaults in Entra ID (free, takes 5 minutes)
-2. **Sign Microsoft BAA** — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA
+2. ~~**Sign Microsoft BAA**~~ — **RESOLVED 2026-05-14:** Covered automatically by Microsoft Customer Agreement for Business plan subscribers. No action needed.
 3. **Verify ALIS BAA** — Ask management if they have a signed BAA with go-alis.com
 4. **BitLocker GPO** — Enable via Security Baseline GPO once PCs are domain-joined (Phase 2.6)