Industries / Healthcare
Microsoft 365 for healthcare.
Built around HIPAA, not bolted onto it.
Clinical groups, dental DSOs, post-acute networks, and specialty practices. We harden the M365 surface around your EHR, ready your tenant for HIPAA-compliant Copilot, and build identity that works for distributed clinical staff.
HIPAA Security Rule modernization comments closed in 2024. Enforcement is shifting toward the controls themselves — MFA, encryption-at-rest, audit logging, vulnerability management — not just the policies on the shelf.
Why labor-only matters in healthcare
No resale incentives. No license overselling. No PHI ever leaves your tenant.
The labor-only model is a healthcare trust signal. We don't carry a partner badge that pays us to push a SKU. We don't resell licenses. We don't subcontract offshore. And we don't need PHI access to do the work — the work is identity, labels, governance, and tenant configuration, not the patient data underneath.
Most healthcare IT projects are sold by firms that earn margin on the licenses they recommend. That's not inherently bad — but the buyer should know which model they're hiring. A reseller-aligned firm has a financial reason to land on the higher SKU, the bigger seat count, the longer term. We don't have that incentive. We bill hours and fixed-fee scopes. The recommendation reflects what fits your environment — including, sometimes, "you're already licensed for this; you just haven't deployed it."
On the data side: we work inside your tenant, under your controls, with engineering accounts you provision and revoke. The technical work — permission inventory, label baseline, Conditional Access, identity hardening — happens at the metadata and configuration layer. Most healthcare engagements complete with zero PHI ever touching an engineering account. The exceptions are documented in scope before the engagement starts and run under a signed BAA with audit logging on every action.
Three workstreams
What we deliver to healthcare customers.
The work clusters into three workstreams. Most engagements draw from all three; some focus on one.
Workstream 01
HIPAA-compliant Microsoft 365 Copilot
The Copilot license is in the M365 BAA. The technical readiness work — permission inventory, sensitivity-label baseline, Purview DLP, oversharing remediation — is what determines whether Copilot deployment exposes PHI in prompts. We deliver the 2-week Copilot Readiness assessment and the follow-on remediation if needed.
- ›Permission inventory across SharePoint and OneDrive (every site, every share, every guest)
- ›Sensitivity-label baseline with PHI-aware classification
- ›Purview DLP policies: PHI-in-chat, PHI-in-email, PHI-in-OneDrive guardrails
- ›Oversharing remediation prioritized by exposure level
- ›Per-workload go-live recommendation: green / yellow / red
- ›Audit-ready documentation for compliance program review
Workstream 02
EHR-adjacent M365 hardening
Most healthcare organizations run an EHR (Epic, Cerner, Athenahealth, eClinicalWorks, Practice Fusion, Open Dental) plus Microsoft 365 for everything around it — back-office mail, file storage, Teams chat, scheduling, billing comms. The EHR vendor handles the EHR. Nobody handles the M365 surface that touches it. That's the work.
- ›Conditional Access for EHR-adjacent users (clinical staff, billing, front desk)
- ›Identity hardening for EHR API integration accounts
- ›M365 retention policies aligned to record-retention regulations
- ›Teams chat governance for clinical communication
- ›Defender for Office 365 with healthcare-tuned phishing protection
- ›Tenant-level audit logging with Sentinel ingestion if applicable
Workstream 03
Post-acute and multi-site identity
Long-term care, skilled nursing, behavioral health, and rehab networks run distributed sites with rotating clinical staff, contracted nurse practitioners, and high turnover. Identity becomes the single hardest problem: who has access to what, where, and for how long. The standard mid-market identity playbook doesn't fit; the post-acute playbook is purpose-built.
- ›Entra ID hybrid for multi-site clinical staff with mobile-first access patterns
- ›Joiner / mover / leaver automation tuned for high-turnover staffing
- ›Contractor and per-diem identity lifecycle (time-bounded access)
- ›Site-scoped Conditional Access (kiosk vs nursing station vs personal device)
- ›MFA strategy that works for clinicians who can't use SMS at the bedside
- ›Quarterly access reviews with clinical leadership in the approval loop
Regulatory specifics we engineer to
HIPAA, HITECH, and the state layer.
The technical work is the same regardless of jurisdiction. The audit trail and documentation differ — and that's where most healthcare engagements get sloppy.
HIPAA Security Rule (45 CFR §164.308–316)
Administrative, physical, and technical safeguards. The technical safeguards (access control, audit controls, integrity, transmission security) are the M365 work. We map the technical configurations to the rule citations in writing — not as a shrink-wrapped checklist, but as the actual configuration evidence.
HITECH (breach notification, BAA enforcement)
Federal breach notification rules and direct BAA liability. Audit log retention, breach-readiness evidence, and access-review documentation matter for HITECH attestations. We deliver the artifacts in a format your compliance program can attach to its existing record.
State breach-notification law overlay
All 50 states + DC have breach-notification laws on top of HIPAA. Definitions of "breach," timelines, and AG-notification triggers vary. The technical controls don't change per state — the documentation and audit-trail granularity do. We engineer for the strictest state in your operating footprint.
42 CFR Part 2 (substance use disorder)
For behavioral health and SUD-treatment providers, Part 2 layers tighter consent requirements over HIPAA for SUD records. Sensitivity labels and DLP policies need a Part-2-aware classification. The label model differs from a pure HIPAA tenant.
Recent healthcare references
Anonymized engagement profiles.
No client names. Sector + size + scope. The full engagement notes are on /work/.
1,200-seat regional health network
Copilot Readiness + Purview DLP foundation. 6-week remediation before phased clinical rollout.
4-clinic, 80-staff dental DSO
M365 hardening, Conditional Access, sensitivity labels for patient correspondence and imaging links.
Multi-site post-acute care network (12 facilities)
Entra ID hybrid + multi-site Conditional Access + contractor identity lifecycle automation.
Tribal nation healthcare + government
Active Directory audit (PingCastle + Purple Knight + manual) across 17-DC forest. Discovery-only engagement.
Specialty clinical group, 220 providers across 6 states
Tenant-to-tenant migration following acquisition. EHR-adjacent M365 cutover with no PHI workflow disruption.
Where to go next
Read the related work.
Service
Copilot Readiness Assessment
2-week fixed-fee. Permission inventory, label baseline, Purview foundations, written go-live recommendation.
Read more
Service pillar
Identity, Security & Compliance
AD audit, Entra ID hybrid, Copilot readiness, GCC High & CMMC. The full identity and compliance pillar.
Read more
Field notes
Copilot HIPAA & the BAA
What the M365 BAA actually covers for Copilot deployment, and what it doesn't. (Long-form deep-dive.)
Read more
FAQ
Common questions from healthcare buyers.
Are you HIPAA-compliant?
We sign Business Associate Agreements with healthcare customers as standard practice. The technical work is HIPAA-aligned (no PHI in non-compliant systems, no PHI in chat tools, audit logging on engineering activity, time-bounded access, no offshore subcontracting). The cleaner answer: we work in your tenant, under your controls, with no PHI ever leaving your boundary. Most healthcare engagements never need PHI access at all — the work is identity, governance, and labels, not the data inside.
What does HIPAA-compliant Copilot actually mean?
Microsoft 365 Copilot is in the M365 BAA when licensed correctly, deployed in a tenant with the right SKUs, and configured against a hardened permission and label baseline. The licensing and tenant configuration are non-trivial. The harder problem is the permission baseline: Copilot reads everything a user has access to, and most healthcare tenants have years of accumulated oversharing. The 'compliant deployment' isn't a single switch — it's a multi-week remediation project before go-live.
Can Copilot see PHI it shouldn't?
If a user has access to a SharePoint site that contains PHI, Copilot can surface that content in their prompts. The control isn't on Copilot — it's on the underlying access. Sensitivity labels (Purview), DLP policies, and a permission inventory are the actual guardrails. If your tenant has 12,000+ unique sharing permissions (typical for a 500+ seat healthcare org), you have a Copilot exposure problem that license restrictions alone can't solve.
We're a 4-clinic dental DSO with 80 staff — is this overkill for us?
No. Smaller healthcare organizations have the same regulatory exposure as larger ones (HIPAA applies regardless of seat count) and often less internal IT capacity to manage it. The work scales down: a Copilot Readiness assessment for an 80-seat tenant is faster and cheaper than a 1,200-seat enterprise. The framework is the same.
Do you replace our existing IT team or MSP?
Almost never. Most healthcare engagements run alongside an internal IT director or an existing MSP. We come in for the project — the M365 hardening, the Copilot readiness, the identity work, the multi-site Entra deployment — and hand the operational keys back when it's done. If your MSP is already running well, we don't compete with them. If you don't have one and need one for go-forward, we can scope managed support post-project.
What about state-level breach notification on top of HIPAA?
Most healthcare customers we work with operate in 1–6 states with varying breach-notification laws on top of HIPAA. The technical controls don't change — what changes is the audit trail. We document control implementation in writing as we go (Conditional Access policies, access reviews, label rollout, DLP triggers, retention) so legal and compliance have evidence to attach to attestations and breach-readiness documentation.
Have a HIPAA-adjacent project on the runway?
Tell us the size of the organization, the EHR, and the project on deck (Copilot readiness, M365 hardening, identity, multi-site). Two-business-day response with scope and timeline.