The Quiet Risk in Every Healthcare Tenant
Healthcare organizations are adopting Microsoft 365 Copilot at a rapid clip. The productivity gains are real — physicians drafting referral letters in seconds, administrators summarizing patient intake forms, care coordinators pulling together case notes from Teams chats. But underneath that convenience sits a compliance time bomb.
Microsoft Copilot inherits every permission in your Microsoft 365 tenant. It doesn't distinguish between a radiology report and a marketing flyer. If a user has access to a SharePoint site containing Protected Health Information (PHI), Copilot can surface that PHI in response to a natural language prompt. No special query required. No malicious intent needed.
The Office for Civil Rights (OCR) doesn't care whether the exposure was accidental. Under HIPAA's Security Rule (45 CFR § 164.312), covered entities must implement technical safeguards to control access to electronic PHI. An AI tool that can surface PHI to unauthorized users — or even authorized users in unauthorized contexts — is a compliance failure.
This article breaks down the specific HIPAA risks that Microsoft Copilot introduces in healthcare environments, and what your IT and compliance teams need to do before the next audit.
How Copilot Accesses PHI in Your Tenant
Copilot doesn't have its own permissions. It rides on the Microsoft Graph API, using the authenticated user's access token. Whatever that user can see, Copilot can retrieve and summarize.
In practice, this means:
- SharePoint document libraries containing clinical documentation, lab results, or treatment plans are fair game if the user has read access
- Teams channels used for care coordination — including message history and shared files — feed directly into Copilot's context window
- Exchange mailboxes with patient correspondence, referral letters, or insurance communications are indexed and searchable
- OneDrive folders where clinicians store working documents, even temporarily, become part of Copilot's data surface
The problem isn't that Copilot can access these resources. The problem is that most healthcare organizations haven't scoped permissions tightly enough for an AI tool that can synthesize information across all of them simultaneously.
A nurse who has access to a departmental SharePoint site, a Teams channel for shift handoffs, and their own OneDrive might never manually cross-reference data across all three. Copilot does it automatically. That cross-referencing capability turns minor permission oversights into major PHI exposures.
Five Specific HIPAA Risks
1. Minimum Necessary Standard Violations
HIPAA's Minimum Necessary Rule (45 CFR § 164.502(b)) requires that access to PHI be limited to the minimum amount needed for a specific purpose. Copilot violates this principle by design.
When a care coordinator asks Copilot to "summarize the latest on Patient X," it pulls from every data source the user can access. That might include billing information, mental health notes, substance abuse records, and HIV status — even if the coordinator only needed the discharge summary.
The AI doesn't apply the Minimum Necessary filter. It returns everything it finds relevant. Your organization is responsible for ensuring that doesn't happen.
2. Unauthorized Disclosure Through Prompt Responses
A physician asks Copilot: "What did we discuss about the Johnson case in last week's Teams meeting?" Copilot pulls the meeting transcript, summarizes the clinical discussion, and presents it. Sounds useful.
Now imagine a billing clerk asks: "Summarize recent discussions about the Johnson account." If that clerk has access to the same Teams channel — perhaps because channel permissions were set too broadly — Copilot returns clinical information that the clerk has no business seeing. The clerk didn't go looking for PHI. Copilot delivered it.
Under HIPAA, this constitutes an unauthorized disclosure. The fact that it was generated by an AI tool doesn't reduce liability. OCR's 2024 guidance on AI and HIPAA (published December 2024) explicitly states that covered entities are responsible for PHI access through AI systems, regardless of the technology's design.
3. Business Associate Agreement Gaps
Microsoft signed a Business Associate Agreement (BAA) covering Microsoft 365 services for healthcare customers. But the BAA's scope matters. As of early 2026, Microsoft's BAA covers Copilot for Microsoft 365 when used within eligible M365 services. However, the BAA places significant responsibility on the customer for:
- Configuring access controls appropriately
- Implementing data loss prevention (DLP) policies
- Ensuring sensitivity labels are applied to PHI
- Monitoring and auditing Copilot usage
If your organization hasn't configured these controls, the BAA doesn't protect you. Microsoft's responsibility ends at providing the tools. Your responsibility is using them correctly. Most healthcare IT teams haven't caught up to this reality.
4. Audit Trail Deficiencies
HIPAA requires covered entities to maintain audit trails for PHI access (45 CFR § 164.312(b)). Copilot interactions are logged in the Microsoft 365 Unified Audit Log and Microsoft Purview, but the granularity is limited.
You can see that a user interacted with Copilot. You can see which files were referenced. But reconstructing exactly what PHI was surfaced in a Copilot response — and whether that access was appropriate — requires significant forensic effort.
During an OCR investigation or breach assessment, you need to demonstrate that PHI access was authorized and appropriate. Copilot's current logging makes this harder than it should be. Healthcare organizations need supplementary monitoring through Microsoft Purview's compliance tools to close the gap.
5. Substance Abuse and Mental Health Record Protections
42 CFR Part 2 imposes stricter protections on substance use disorder (SUD) records than standard HIPAA rules. These records require specific patient consent for each disclosure. State laws add additional protections for mental health records, HIV/AIDS status, and genetic information.
Copilot doesn't know about 42 CFR Part 2. It doesn't check whether a document contains SUD records before including it in a summary. If your organization stores SUD treatment records anywhere in Microsoft 365 — and most healthcare organizations do — Copilot can surface them to any user with file-level access.
This isn't a theoretical risk. It's a predictable consequence of deploying a general-purpose AI tool in a regulated environment without proper data classification.
What Healthcare IT Must Do Before Copilot Rollout
Conduct a PHI Data Map
Before enabling Copilot for any user, you need a complete inventory of where PHI lives in your Microsoft 365 tenant. This means:
- Every SharePoint site containing clinical, billing, or administrative PHI
- Every Teams channel used for patient care coordination
- Every shared mailbox handling patient correspondence
- Every OneDrive folder where clinicians store working files
You can't protect what you can't find. Start with a SharePoint permissions audit and expand from there. Microsoft Purview's Data Map can automate discovery, but manual verification is essential for healthcare-specific content types.
Apply Sensitivity Labels to All PHI
Sensitivity labels are your primary technical control for preventing Copilot from surfacing PHI inappropriately. At minimum, create labels for:
- PHI — General: Standard patient records, correspondence, administrative documents
- PHI — Restricted: Mental health, SUD, HIV/AIDS, genetic information
- PHI — Research: De-identified or limited data sets used for research purposes
Configure auto-labeling policies to detect common PHI patterns: MRN formats, ICD-10 codes, patient name + date of birth combinations. Auto-labeling isn't perfect, but it catches the bulk of unlabeled content that manual processes miss.
Implement Role-Based Copilot Access
Don't enable Copilot for your entire organization on day one. Use Entra ID groups and Conditional Access policies to control who gets Copilot and under what conditions:
- Phase 1: Administrative staff (low PHI exposure) — test productivity gains and identify permission issues
- Phase 2: Clinical leadership — controlled rollout with monitoring
- Phase 3: Frontline clinicians — only after permission remediation is complete
Each phase should include a 30-day monitoring period using Purview audit logs before expanding access.
Configure DLP Policies for Copilot
Data Loss Prevention policies can block Copilot from processing content that matches sensitive information types. Configure DLP policies that:
- Detect PHI patterns (SSNs, MRNs, clinical terminology clusters)
- Block Copilot from summarizing content with "PHI — Restricted" sensitivity labels
- Alert compliance teams when Copilot interactions involve high-sensitivity content
- Log all policy matches for audit purposes
Microsoft expanded DLP support for Copilot in late 2025, but the policies require manual configuration. They don't deploy themselves.
Establish Copilot-Specific Policies in Your HIPAA Program
Your HIPAA policies and procedures need to address Copilot explicitly. Update your:
- Risk Assessment: Include Copilot as a PHI access vector
- Workforce Training: Teach staff what Copilot can access and how to use it responsibly
- Incident Response Plan: Define procedures for Copilot-related PHI exposures
- Business Associate Management: Verify Microsoft's BAA covers your Copilot usage
OCR auditors will look for evidence that your organization assessed and mitigated AI-related risks. "We didn't think about it" is not a defensible position.
The Real-World Consequences
HIPAA violations carry penalties ranging from $100 to $50,000 per violation, with annual maximums up to $2,067,813 per violation category (2026 adjusted amounts). But the financial penalties are often the least of it.
A PHI breach through Copilot triggers:
- Breach notification requirements: Individual notifications to affected patients, HHS notification, and potentially media notification for breaches affecting 500+ individuals
- OCR investigation: Which will examine your entire HIPAA program, not just the Copilot configuration
- Class action litigation: Patients whose PHI was exposed will sue, and "our AI tool did it" won't reduce damages
- Reputation damage: In healthcare, trust is everything. A Copilot-related data breach makes national news
The February 2026 Copilot DLP incident at a major financial services firm demonstrated how quickly AI-related data exposures escalate. Healthcare organizations handling PHI face even higher stakes.
Copilot Can Work in Healthcare — With Guardrails
None of this means healthcare organizations should avoid Copilot. The productivity gains for clinical documentation, care coordination, and administrative workflows are substantial. But the deployment must be deliberate, phased, and compliance-first.
The organizations that will succeed are the ones treating Copilot deployment as a compliance project first and a productivity project second. The ones that skip the governance work will become case studies in what not to do.
Your EHR vendor spent years building HIPAA-compliant access controls. Microsoft 365 needs the same level of attention before you let an AI tool loose on your tenant.
Take Action Now
Don't wait for an OCR audit to discover your Copilot permissions are wrong. Run a free scan of your Microsoft 365 environment to identify PHI exposure risks before Copilot surfaces them.