Building a HIPAA DLP Policy in the Office 365 Security & Compliance Center

TL;DR
- As of July 2018, Office 365 DLP lives in the Security & Compliance Center and can identify, monitor, and automatically protect sensitive information across Office 365.
- DLP detects PII such as credit card numbers, social security numbers, and health records, the kind of data regulations require you to keep from leaking.
- Microsoft ships predesigned policy templates, including a US Health Insurance Act (HIPAA) template, so you do not build detection logic from scratch.
- Advanced rules add exceptions, actions, user notifications, user overrides, and incident reports sent to admins on a match.
- Test a policy before full production, then use DLP reports to verify matches, false positives, and overrides over time.
Regulations and business standards both push the same requirement: keep sensitive information from leaking out by accident. The data in question is the obvious set, financial records and personally identifiable information such as credit card numbers, social security numbers, or health records. As of July 2018, a data loss prevention policy in the Office 365 Security & Compliance Center lets you identify, monitor, and automatically protect that information across Office 365. This is a step-by-step build of a HIPAA policy, from template to reporting.
Building the policy
Open the Security & Compliance Center
Go to Admin Centers > Security and Compliance Center.

Select Data Loss Prevention
Click the Data Loss Prevention tab and then click Policy.

Add a new policy
On the screen that pops up, click +Create a policy.

Choose a template
You can select from a list of predesigned policy templates or customize your own. For this example, create a policy for HIPAA compliance.

Select the HIPAA template
Go to Medical and Health > US Health Insurance Act and click Next.

Name and describe the policy
Give the policy a name and description.

Choose locations
Choose the locations where this policy should be active, whether that is Exchange Online, OneDrive, or SharePoint.

Open advanced settings
Click the "Use Advanced Settings" icon to create a new rule with more granular conditions. These rules include exceptions, actions to take when conditions are met, user notifications, user overrides, and incident reports sent to admins when a rule match occurs.


Tune the content detection
Get more granular still: add more content to the filter and choose whether to detect content shared inside or outside the organization.



Set the actions
Customize what happens when sensitive info is detected. Use notifications and overrides to educate users about DLP policies and help them stay compliant without blocking their work.

Stage the policy before production
Choose to test the policy before going into full production.

Review and create
Once you review your settings, click Create.

Verifying the policy with reports
Read the DLP charts
After you create and turn on your DLP policies, verify they are working as intended. DLP reports let you quickly view the number of policy and rule matches over time, plus the number of false positives and overrides.


Schedule recurring reports
Set up recurring reports to go out to the administrator of the account.

Frequently asked questions
Where is Office 365 DLP configured as of 2018?
In the Office 365 Security & Compliance Center, reached through Admin Centers > Security and Compliance Center, then the Data Loss Prevention tab. This predates the consolidation of these controls under Microsoft Purview.
Can you test an Office 365 DLP policy before enforcing it?
Yes. The policy creation flow includes a staging option that lets you test the policy before turning it on in full production, so you can see what it would catch without blocking users.
Which locations can an Office 365 DLP policy protect?
You choose the locations during setup, including Exchange Online, OneDrive, and SharePoint. A single policy can span multiple Office 365 workloads.
DLP is one control among hundreds
A HIPAA policy protects data in transit, but the rest of the tenant still drifts. CloudCapsule checks 250+ Microsoft 365 controls in 60 seconds and shows the compliance evidence you can hand an auditor.
Try a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


