Row Zero is the best spreadsheet for big data. Try for free →

Is Excel HIPAA compliant?

2025-08-03 // Mark Tressler

Excel is not HIPAA compliant by default. Excel can be HIPAA compliant, but only under the right conditions - within Microsoft 365 under a signed BAA, with encryption, access control, auditing, DLP, retention, and user training all in place. Using desktop Excel and storing files locally unencrypted is not HIPAA compliant.

If you need to work in HIPAA compliant spreadsheets, consider using Row Zero. Row Zero is a HIPAA compliant spreadsheet application with advanced security features to help enforce HIPAA compliance. Row Zero is a secure alternative to Excel and Google Sheets for healthcare organizations and large enterprises.

In this guide, we'll cover several topics including:

Is Excel HIPAA compliant?

Excel is not HIPAA compliant by default, so if you are just using a basic version of Excel on your computer, it is likely not HIPAA compliant. Excel can be HIPAA compliant, but only under the right conditions. HIPAA compliance depends on the storage and sharing environment, as well as how Excel is used. Even if Excel is set up to be HIPAA compliant, employees may still use Excel in a way that violates HIPAA compliance. Below we outline some ways that Excel use may violate HIPAA along with ways to make Excel HIPAA compliant.

How can using Excel violate HIPAA?

There are many ways people may use Excel that could violate HIPAA compliance. Here are a few potential HIPAA violations:

  1. Using Excel for handling PHI without a signed BAA - It is necessary to have a signed Business Associates Agreement (BAA) with any tool or service provider when PHI is involved.

  2. Unencrypted Excel files - Saving Excel files with PHI unprotected on a computer or server. You cannot store Excel files on a computer without encryption.

  3. Emailing spreadsheets with PHI – You cannot send Excel attachments unencrypted.

  4. Downloading, copying, sharing, or copy and pasting any data containing PHI from Excel to another tool or service that is not covered by a signed BAA. This includes tools used within the organization as well as personal accounts, devices, or communication channels outside the enterprise.

  5. Public or broad sharing - you must restrict access by user and enforce role-based permissions so that only authorized personnel see the data they are authorized to see.

  6. No access logs – Not tracking who opened or edited the file. You should store Excel in SharePoint/OneDrive Enterprise with auditing enabled.

  7. Excessive PHI in Excel files – Including names, SSNs, addresses when not necessary. HIPPA includes a "minimum necessary" rule. PHI should only be used when necessary and you should de-identify data when possible.

  8. Improper disposal of Excel files with PHI - You need to use secure wipe tools and enforce retention policies (for example automatically delete Excel files after a certain amount of time).

  9. Unauthorized add-ons/integrations/macros – Any tool used in conjunction with Excel and PHI must also be HIPAA compliant and be under a signed BAA.

  10. Untrained users – Even if Excel is set up to be HIPAA compliant, employees may still violate HIPAA by mishandling PHI in spreadsheets due to lack of training. You should provide spreadsheet-specific HIPAA compliance rules and training.

How to make Excel HIPAA compliant

While basic Excel is not HIPAA compliant by default, you can set up Excel to be HIPAA compliant. Below we outline some steps to take, but it's always important to have legal and security professionals regularly review your particular setup and use case to ensure you are maintaining HIPAA compliance with Excel.

1. Use the right Microsoft platform and version of Excel:

  • Don't use the standalone desktop Excel app or save Excel files to your computer unencrypted. The standalone Excel desktop app does not include HIPAA compliance features by default.
  • Use Microsoft 365 Enterprise / OneDrive / SharePoint so that Excel files are encrypted in transit and at rest.
  • Sign a BAA with Microsoft (available on Microsoft 365 Enterprise tier) along with any other tools or services you'll use in conjunction with Excel to handle PHI.
  • If you must use desktop Excel, use it only as an interface and save and sync files to OneDrive or Sharepoint Online in conjunction with Microsoft 365.

2. Secure File Storage & Access

  • Store Excel spreadsheets in OneDrive for Business or SharePoint Online, not on personal devices or USB drives.
  • Require Multi-Factor Authentication (MFA) for all users accessing PHI spreadsheets.
  • Enforce role-based permissions (only grant access to those who need it).
  • Disable public or anonymous link sharing (“Anyone with the link”).
  • Ensure users can't copy or download data out of this setup onto their device (e.g. download a CSV or XLSX to their computer)
  • If you need to share an Excel file, share directly with a specific user in OneDrive/Sharepoint (with MFA enabled) rather than emailing or exporting files.

3. Encryption

  • Ensure files are encrypted at rest (OneDrive/SharePoint handle this automatically).
  • Ensure all connections are encrypted in transit (HTTPS/TLS). This includes the path from the original data source where PHI is collected to your Excel file.
  • Require BitLocker (Windows) or FileVault (Mac) for local storage on endpoints.

4. Audit & Logging

  • Enable audit logs in Microsoft 365 Compliance Center.
  • Track file access, edits, and downloads.
  • Set up alerts for unusual access patterns (e.g., mass downloads, access from unknown locations).

5. Data Loss Prevention (DLP)

  • Use Microsoft 365 DLP policies to detect and block PHI from being:
    • Sent via email
    • Shared externally
    • Or copied to non-compliant locations.
  • Set rules to prevent saving PHI spreadsheets to unmanaged devices.

6. Data Minimization & De-Identification

  • Apply the HIPAA “minimum necessary” rule — only use PHI that is necessary for the task.
  • Use de-identification or pseudonymization when possible (e.g. email hashes and IDs instead of names).
  • Avoid free-text notes in spreadsheets that might accidentally contain PHI identifiers.

7. Device & Session Security

  • Require use of corporate-managed devices with endpoint protection.
  • Enable automatic screen locks, inactivity timeouts, and auto log-outs.
  • Restrict access from unmanaged personal devices (via Intune or Conditional Access policies).

8. Retention & Disposal

  • Define retention policies for PHI spreadsheets.
  • Use Microsoft Information Governance or retention labels to control how long files are kept.
  • Ensure secure deletion (including emptying recycle bins and using wipe tools when necessary).

9. Training & Policies

  • Train users on HIPAA requirements specific to Excel use:
    • No emailing spreadsheets with PHI without encryption.
    • No saving PHI locally unless approved and encrypted.
    • No sharing spreadsheets outside approved channels.
    • No copying and pasting PHI out of Excel to an unapproved channel or tool.
    • Avoid entering PHI directly into Excel or using Excel as the system of record for PHI
  • Document policies and enforce them through Microsoft 365 Admin Center.

10. Review & Test Regularly

  • Perform periodic audits of Excel/OneDrive/SharePoint access permissions.
  • Test DLP rules to ensure PHI cannot leak.
  • Update policies as Microsoft releases new compliance features.
  • Have a legal and security professional who is familiar with your use case regularly review and audit your Excel use with PHI.

As you can see, there are many steps to make Excel HIPAA compliant and it is an ongoing process to maintain HIPAA compliance with Excel.

Row Zero - a HIPAA compliant Excel alternative

Row Zero is a HIPAA compliant spreadsheet application specifically built for security and big data performance. Row Zero locks spreadsheets in a secure cloud portal. There are no files. Spreadsheets are only accessible via secure login (e.g. SSO) and row-level security is enforced from the data warehouse, so users can only see data they are authorized to see. secure HIPAA compliant spreadsheets Organizations can restrict data export, sharing, and copy/paste. Row Zero also supports 1000x bigger data than Excel's limits, so teams can easily work with big data in a secure spreadsheet. Row Zero will sign a BAA upon request for Business and Enterprise tiers.

What is a BAA?

A BAA is a Business Associates Agreement, which is a contract between a HIPAA-covered entity (like a hospital or healthcare company) and a business associate (a third-party service provider) that performs services involving access to or storage of Protected Health Information (PHI). A BAA ensures the business associate handles and safeguards PHI according to HIPAA rules and the specific terms of the contract.

When do you need to sign a BAA?

A BAA must be signed by any organization that performs a service for a HIPAA covered entity that involves PHI. This includes software vendors, data storage, billing services, attorneys, consultants, etc.

Note, if any of these organizations use third-party tools like spreadsheets or cloud storage services to analyze, work with, or store the data, they also need to sign a separate BAA with any tools they use to work with PHI. For example, if a consultant or attorney signs a BAA with a hospital and then uses Excel to work with the hospital's data, they would also have to sign a BAA with Microsoft to cover their use of PHI in Excel.

As a simple rule, any time an organization is using PHI in a spreadsheet, there must be a signed BAA between that organization and the spreadsheet provider.

Conclusion

Excel is not HIPAA compliant by default. Excel can be HIPAA compliant only if used within Microsoft 365 under a signed BAA, with encryption, access controls, audit logging and tracking, Data Loss Prevention (DLP), and user training all in place. Simply installing Excel on a desktop and storing files locally is not HIPAA compliant.

If your organization needs a HIPAA compliant spreadsheet, consider using Row Zero. Row Zero is a HIPAA compliant spreadsheet application with advanced security features to help enforce HIPAA compliance. Row Zero is secure alternative to Excel and Google Sheets for enterprises and healthcare organizations. You can try Row Zero for free or schedule a demo to explore enterprise features.

Explore Row Zero

Note: You should always have a legal and security team review your particular set up and use case to ensure that your spreadsheets are HIPAA compliant.

Related Content

FAQs