Meta: Most home health agencies run on Microsoft 365 or Google Workspace with default configurations that leave critical HIPAA gaps. Here are the mandatory settings every agency must configure.
Microsoft 365 and Google Workspace have become the operational foundations of virtually every home health agency in the country — hosting email, scheduling documents, care coordination notes, billing correspondence, staff communications, and increasingly, clinical reference materials that contain patient information. They are also the two most consistently misconfigured systems I encounter when I assess home health agencies for the first time. Both platforms ship with default settings optimised for ease of deployment, not for HIPAA compliance. The gap between those defaults and what HIPAA actually requires is significant, consistent, and entirely closable — but only if someone takes the time to close it.
The assumption that a cloud platform subscription equals HIPAA compliance is one of the most expensive misconceptions in home health administration. Microsoft and Google maintain the infrastructure that runs their platforms. They do not configure the security settings that protect your agency's specific use of those platforms. That configuration is your responsibility — and the 2026 HIPAA mandatory requirements have made several previously optional configurations legally mandatory.
What Neither Platform Configures For You By Default
Before examining platform-specific settings, it is worth establishing what both Microsoft 365 and Google Workspace leave unconfigured in their standard deployments that directly affects HIPAA compliance:
- Multi-factor authentication: Both platforms support MFA. Neither enforces it by default. Every user can log in with username and password alone until an administrator configures enforcement — which is now a 2026 HIPAA mandatory requirement.
- Data Loss Prevention: Both platforms include DLP capabilities that can scan outbound email for PHI patterns and block or quarantine messages containing unencrypted patient information. Neither configures DLP rules by default.
- Email encryption for PHI: Neither platform automatically encrypts outbound email containing patient information. Encryption must be configured through DLP rules, transport rules, or sensitivity labels.
- External sharing restrictions: Both platforms allow file sharing with external parties by default. Without configuration, a care coordinator can share a patient file with anyone using a shareable link — no authentication required from the recipient.
- Audit log retention: Both platforms generate audit logs of user activity. Default retention periods may be shorter than HIPAA's six-year documentation requirement without specific configuration.
Microsoft 365: The Critical Configuration Items
Conditional Access and MFA Enforcement
Microsoft Entra ID (formerly Azure Active Directory) Conditional Access is the mechanism through which MFA is enforced in Microsoft 365 environments. The default configuration does not include a Conditional Access policy requiring MFA. You must create one — and it must cover every user with ePHI access, with no exceptions for any user, device type, or location. The policy should be configured to require MFA on every login from every location — not just from outside the office network, which is a common but inadequate configuration that leaves office workstations without MFA protection.
Microsoft Authenticator with number matching enabled is the recommended MFA method for home health deployments. Number matching — which requires the user to enter a number displayed on the login screen into the authenticator app before approving — eliminates the MFA fatigue attack vector that basic push notifications are vulnerable to. Configure number matching in the Microsoft Authenticator settings within the Entra ID admin portal.
Microsoft Defender for Office 365 — Safe Links and Safe Attachments
Standard Microsoft 365 Business Basic and Business Standard subscriptions include basic email filtering. They do not include Safe Links (which rewrites URLs in emails and checks them at click time in real time, not just at delivery) or Safe Attachments (which detonates email attachments in a sandbox environment before delivering them). Both require Microsoft 365 Business Premium or Microsoft Defender for Office 365 Plan 1. For home health agencies where phishing email is the primary attack vector — which it is — the upgrade from standard to Business Premium is the single most impactful licensing change you can make.
Microsoft 365 Data Loss Prevention for PHI
Microsoft 365 includes a built-in DLP template for US HIPAA — a pre-configured rule set that scans outbound email and file shares for common PHI patterns including Social Security numbers, Medicare numbers, dates of birth combined with patient names, and ICD-10 diagnosis codes. Activating this template in the Microsoft Purview compliance portal takes less than 30 minutes and immediately begins scanning outbound communications for unencrypted PHI. Configure the policy in audit mode first — which logs violations without blocking — for two weeks to understand your existing transmission patterns before switching to enforcement mode.
SharePoint and OneDrive External Sharing Restrictions
The default SharePoint and OneDrive external sharing settings in Microsoft 365 permit sharing with anyone using a link — including unauthenticated external recipients. For home health agencies where clinical staff use SharePoint or OneDrive to store care plan documents, OASIS templates, or any files containing patient information, this default is a HIPAA violation waiting to happen. Restrict external sharing to specific domains (your EHR vendor, your billing company, your clinical partners) or disable it entirely if your operations do not require file sharing with external parties.
Google Workspace: The Critical Configuration Items
Google Workspace for Healthcare and the BAA Requirement
Not all Google Workspace subscriptions include a Business Associate Agreement. Google's BAA is available for Google Workspace Business Starter, Business Standard, Business Plus, and Enterprise editions. Confirm that your Google Workspace subscription level includes a signed BAA before any ePHI enters Gmail, Google Drive, Google Meet, or any other Workspace application. If you are running a legacy Google Apps for Work account or a consumer Gmail account for business use, you do not have a BAA and you are operating outside HIPAA.
2-Step Verification Enforcement
Google Workspace administrators can enforce 2-step verification — Google's term for MFA — across the entire organisation through the Admin console under Security settings. The enforcement can be configured to allow a grace period for enrollment, after which users who have not enrolled in 2-step verification lose access to Workspace applications. Set the enforcement deadline, communicate it to staff clearly and in advance, and verify 100% enrollment before the deadline. Google Authenticator, Google Prompt on a signed-in device, and hardware security keys are all supported. Recommend Google Prompt with number challenge for home health staff deployments.
Gmail Confidential Mode and S/MIME Encryption
Gmail Confidential Mode allows senders to send messages that recipients cannot forward, copy, print, or download — and can be set to expire after a defined period. It is useful for sensitive communications but does not provide true encryption. For HIPAA-compliant email transmission of PHI, S/MIME encryption — which encrypts message content end-to-end — is the appropriate standard. Google Workspace supports S/MIME for organisations that issue client certificates. For home health agencies without certificate infrastructure, a third-party encrypted email gateway (Zix, Proofpoint, Virtru) that integrates with Gmail provides HIPAA-compliant encryption without requiring certificate management.
Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.
→ Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment
→ Explore Home Healthcare Cybersecurity — shieldforce.io/home-healthcare
→ View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison