Skip to main content

Building a HIPAA DLP Policy in the Office 365 Security & Compliance Center

Nick Ross2 min read
Implementing Office 365 Data Loss Prevention

TL;DR

  • As of July 2018, Office 365 DLP lives in the Security & Compliance Center and can identify, monitor, and automatically protect sensitive information across Office 365.
  • DLP detects PII such as credit card numbers, social security numbers, and health records, the kind of data regulations require you to keep from leaking.
  • Microsoft ships predesigned policy templates, including a US Health Insurance Act (HIPAA) template, so you do not build detection logic from scratch.
  • Advanced rules add exceptions, actions, user notifications, user overrides, and incident reports sent to admins on a match.
  • Test a policy before full production, then use DLP reports to verify matches, false positives, and overrides over time.

Regulations and business standards both push the same requirement: keep sensitive information from leaking out by accident. The data in question is the obvious set, financial records and personally identifiable information such as credit card numbers, social security numbers, or health records. As of July 2018, a data loss prevention policy in the Office 365 Security & Compliance Center lets you identify, monitor, and automatically protect that information across Office 365. This is a step-by-step build of a HIPAA policy, from template to reporting.

Building the policy

Open the Security & Compliance Center

Go to Admin Centers > Security and Compliance Center.

Security and Compliance Center

Select Data Loss Prevention

Click the Data Loss Prevention tab and then click Policy.

Data Loss Prevention tab

Add a new policy

On the screen that pops up, click +Create a policy.

Create a policy

Choose a template

You can select from a list of predesigned policy templates or customize your own. For this example, create a policy for HIPAA compliance.

Policy templates

Select the HIPAA template

Go to Medical and Health > US Health Insurance Act and click Next.

US Health Insurance Act template

Name and describe the policy

Give the policy a name and description.

Name and description

Choose locations

Choose the locations where this policy should be active, whether that is Exchange Online, OneDrive, or SharePoint.

Choose locations

Open advanced settings

Click the "Use Advanced Settings" icon to create a new rule with more granular conditions. These rules include exceptions, actions to take when conditions are met, user notifications, user overrides, and incident reports sent to admins when a rule match occurs.

Advanced settings
Rule conditions

Tune the content detection

Get more granular still: add more content to the filter and choose whether to detect content shared inside or outside the organization.

Content filter
Content detection settings
Inside or outside sharing

Set the actions

Customize what happens when sensitive info is detected. Use notifications and overrides to educate users about DLP policies and help them stay compliant without blocking their work.

Policy actions

Stage the policy before production

Choose to test the policy before going into full production.

Test mode staging

Review and create

Once you review your settings, click Create.

Review and create

Verifying the policy with reports

Read the DLP charts

After you create and turn on your DLP policies, verify they are working as intended. DLP reports let you quickly view the number of policy and rule matches over time, plus the number of false positives and overrides.

DLP reports chart
Policy match detail

Schedule recurring reports

Set up recurring reports to go out to the administrator of the account.

Recurring reports

Frequently asked questions

Where is Office 365 DLP configured as of 2018?

In the Office 365 Security & Compliance Center, reached through Admin Centers > Security and Compliance Center, then the Data Loss Prevention tab. This predates the consolidation of these controls under Microsoft Purview.

Can you test an Office 365 DLP policy before enforcing it?

Yes. The policy creation flow includes a staging option that lets you test the policy before turning it on in full production, so you can see what it would catch without blocking users.

Which locations can an Office 365 DLP policy protect?

You choose the locations during setup, including Exchange Online, OneDrive, and SharePoint. A single policy can span multiple Office 365 workloads.

DLP is one control among hundreds

A HIPAA policy protects data in transit, but the rest of the tenant still drifts. CloudCapsule checks 250+ Microsoft 365 controls in 60 seconds and shows the compliance evidence you can hand an auditor.

Try a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading