Many organizations use Microsoft 365 as a low-cost substitute for specialized software, whether it’s a law firm managing clients or a construction firm tracking projects. In some of these cases, Microsoft 365 might not be as robust or easy to use as a purpose-built app. However, for healthcare policy management, Microsoft 365 is arguably as good as anything else on the market.

Healthcare organizations need to keep policies organized, up to date, and accessible in order to mitigate risks and comply with legal guidelines. And Microsoft 365 offers security, retention, version control, and automation features that cover all those requirements.

Formatted Policy Library in SharePoint

  • Security – While everyone in your organization should have access to read policies, it’s critical to control who has permission to edit. Microsoft 365 makes this fairly straightforward by allowing you to add users to security groups then assigning the group permissions at various levels.

    That said, rather than trying to manage permissions for individual files, it’s typically best to set permissions for a library, folder, or document set, then place documents in the appropriate location. For example, you can create a library with one folder* for external regulations and another for internal guidelines. Then you could give your medical directors “edit” access to the internal guidelines folder while letting the compliance department manage the external regulations.

    *We actually recommend using document sets rather than folders in SharePoint libraries, but that is a topic for another article.

  • Retention – Some policies expire or require periodic review. Microsoft 365 supports this by letting you assign retention policies (for sites and libraries) or “retention labels” (for individual folders and documents) which can automatically archive or delete documents after a given period of time, or simply flag them for review.

    So, for instance, you could create a retention policy based on accreditation requirements and ensure policies are flagged prior to your next peer review. You could also define a retention label with a period of 5 years and apply it to any Department of Health guideline documents set to expire in that time.

  • Version Control – Perhaps the biggest challenge for healthcare policy management is making sure staff are referencing the most up-to-date version of a document. By placing policy files in a central SharePoint library and training everyone to go there instead of keeping copies on their local hard drive, you can largely eliminate version control issues. And SharePoint Online automatically retains all past versions of a file (up to 50,000) in case anyone has questions about how things might have changed.

    On a related note, you can use Microsoft 365’s permissions feature to keep the editable Word Online versions of policy / protocol documents in the same location as the “official” PDFs, and set it so only the people responsible for updating those documents see the editable files.

  • Automation – For some policies, you might be legally required to get acknowledgement / attestation that all impacted staff have read it. Microsoft 365 can help automate this process, allowing you to send an email or form via Power Automate with a link to the policy and buttons to let recipients “Acknowledge” or “Deny” the policy. The flow can add a record of each team member’s acknowledgement to a list for future reference.

    In a larger organization, the same basic functionality can also be used for management sign-off when drafting policies and guidelines in the first place.


None of this is to say that Microsoft 365 is a perfect policy management solution right out of the box. The open, configurable nature of the platform can create loopholes if you’re not careful.

For example, by default the “search” bar at the top of the Microsoft 365 interface will search everything the current user has access to, everywhere on your tenant. So if somebody is drafting a new version of your drug handling policy and neglects to lock down access, other employees might see the unapproved draft pop up in a search right next to the official version. This can be especially problematic with Microsoft Teams, which throws any file attached to a conversation into an associated SharePoint library, whether you want it to or not.

Fortunately, it’s possible to adjust the scope of the search bar to only look at certain approved libraries. Between that and careful structuring of permissions, it shouldn’t be too difficult to close the gaps in your policy management process.


Using Microsoft 365 for policy management can save healthcare organizations money without compromising on functionality. If you have further questions about policy management in SharePoint for your organization, we’d love to hear from you.