SharePoint: Requesting and Managing Sites for FERPA or HIPAA Data

Summary

Sites containing student education records (FERPA) or protected health information (HIPAA) require special security and governance measures. This article outlines the steps to initiate and manage compliant SharePoint sites, including required approvals and sensitivity labeling. Please review SharePoint: USNH SharePoint Usage Guidelines and Governance

Content


Overview

  • FERPA protects the privacy of student education records. It applies to institutions receiving federal funding and restricts disclosure of personally identifiable information without consent.
  • HIPAA governs protected health information in a healthcare context, however, student medical records at educational institutions often fall under FERPA rather than HIPAA, unless explicitly designated otherwise. 
     

Compliance Checklist for SharePoint

  1. Initial Consultation

Contact the SharePoint Admin team before creating a site with FERPA or HIPAA data. This allows discussion of required security controls, sensitivity labels, and compliance protocols. Reach out via this service form: https://td.usnh.edu/TDClient/60/Portal/Requests/ServiceDet?ID=649 

  1. Sensitivity Label

A Purview sensitivity label is required to enforce protection settings on sites containing regulated data. Labels may include encryption, external sharing restrictions, and guest access limitations. To request a label or a consultation, submit a request to the SharePoint Admin team

  1. Site Configuration
    • Ensure At least two site owners are assigned.
    • Limit membership to authorized personnel only, and apply least-privilege access principles.
    • Anyone links and anonymous sharing will not be permitted on the site. External access must be explicitly approved and monitored if not managed via the sensitivity label. 
    • Auditing and regular reviews of sharing activity.
       
  2. Ongoing Management
    • Perform periodic site usage reviews to validate that sensitive data remains under appropriate control.
    • Update permissions immediately when staff roles change.
    • Maintain the sensitivity label and update it if the site’s data classification changes.
       
  3. Incident Response Readiness

In cases of suspected data disclosure or breach, SharePoint Admins must be promptly notified. Maintain clear documentation of site configuration and access logs to support compliance audits or investigations.
 

Why This Matters

  • Federally mandated laws require strict control and auditing of records protected by FERPA and HIPAA.
  • Sensitivity labels and restricted access ensure data is not unintentionally exposed. For example:
    • Encryption remains intact even if documents are downloaded or shared externally.
    • SharePoint and OneDrive support label-based DLP and e-discovery.
  • Non-compliance can lead to serious legal repercussions, financial penalties, and reputational damage.
     

Need Support or Approval?

Reach out to the SharePoint Admins through TeamDynamix and reference this article. Please include:

  • Description of data type and sensitivity (FERPA/HIPAA)
  • Proposed site name and purpose
  • Request for a specific sensitivity label
  • List of initial site owners

For additional information please review SharePoint: Requesting a Sensitivity Label for Your Site 

  

Need additional help?

For assistance concerning site creation, content sharing, file synchronization, or other common SharePoint, OneDrive, Teams, or Office app activities, we recommend our Microsoft 365 Learning sites:

Learn more about the great tools our Microsoft 365 Learning sites offer!

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person.  

100% helpful - 1 review