OneDrive is HIPAA compliant and can be used to store, sync, and share files containing Protected Health Information provided organizations subscribe to a Microsoft 365 or Office 365 plan that supports HIPAA compliance and the file storage system is configured to comply with the Security Rule’s safeguards. It will also be necessary to enter into a Business Associate Agreement with Microsoft to make the use of OneDrive HIPAA compliant.
All Microsoft 365 and Office 365 business plans include OneDrive because it is a convenient cloud-based storage service that enables files to be accessed from any Internet-connected location and shared quickly and easily between individuals, teams, and collaborators.
For HIPAA covered entities and business associates, the question is OneDrive HIPAA compliant does not apply when the service is used to store files that do not contain Protected Health Information (PHI) – although other laws may apply to how sensitive data is stored and shared.
However, if the storage service is used just to store one file containing PHI, it is necessary to make OneDrive HIPAA compliant. This is not simply a case of adjusting a few settings. There are several stages to making OneDrive HIPAA compliant – including which business plan the organization subscribes to.
Get the FREE
HIPAA Compliance
Email Checklist
Learn How To Prevent All Email Related HIPAA Violations
Immediate Access
Privacy Policy
Making OneDrive HIPAA Compliant
In order to make OneDrive HIPAA complaint, the service must be configured to comply with the standards of the Security Rule – i.e., information access management, integrity controls, contingency planning, audits logs, transmission security, etc.
Not all Microsoft 365 and Office 365 business plans include all the controls required to make OneDrive HIPAA compliant, and it may be necessary to purchase an add-on security plan or upgrade an existing plan to one with the required capabilities and controls.
Thereafter, once the necessary controls have been configured to comply with the standards of the Security Rule, it is important that members of the workforce with access to OneDrive are trained in how to use OneDrive in compliance with HIPAA.
Most members of the workforce will have little difficulty understanding the technicalities of using OneDrive in compliance with HIPAA. However, it is important workforce members understand not to save files with PHI in the titles or include PHI in the subject field of links to shared files.
Microsoft’s Business Associate Agreement
A number of sources discussing how to make OneDrive HIPAA compliant dedicate a lot of the discussion to entering into a Business Associate Agreement with Microsoft. However, a standard Business Associate Agreement is automatically applied by Microsoft when a healthcare organization subscribes to a Microsoft 365 or Office 365 business plan.
While the automatic application of a Business Associate Agreement for all “in-scope services” eliminates the administrative burden of having to ensure an agreement is in place before OneDrive is used to store or share PHI, it is important that covered entities and business associates read the terms of the agreement to understand the respective obligations.
It is also important to be aware that Microsoft will not change any part of the Agreement to suit an organization’s requirements. Therefore, if you don’t like the fact that Microsoft will not respond to patient access requests or will not report all security incidents to covered entities (as required by §164.314) you may need to find another cloud storage service provider.
Is OneDrive HIPAA Compliant? Conclusion
In conclusion, rather than being HIPAA compliant, Microsoft OneDrive supports HIPAA compliance. Thereafter it is the responsibility of the covered entity or business associate to configure the service to comply with the standards of the Security Rule, train members of the workforce on the compliant use of OneDrive, and agree to the terms of the Business Associate Agreement.
If you have any questions about which Microsoft business plans support HIPAA compliance, or how the components of each plan should be configured to support HIPAA compliance, you should speak with Microsoft customer services. If you have any questions about training your workforce or navigating Microsoft’s Business Associate Agreement, you should seek professional compliance advice.
OneDrive and HIPAA Compliance: FAQ
What could happen if a CE used OneDrive without a BAA?
What could happen if a CE used OneDrive without a BAA depends on whether OneDrive is being used to store, sync, and share ePHI. If ePHI is being disclosed to Microsoft, it is a violation of HIPAA for which the CE would be liable for. (It is also a breach of Microsoft’s terms of service that could result in the termination of service). If no ePHI is being disclosed to Microsoft, it does not matter if OneDrive is used without a BAA,
What should be included in a BAA?
What should be included in a BAA depends on the service being provided for or on behalf of a CE. BAAs are written agreements that detail the responsibilities held by both the CE and BA in relation to the HIPAA-compliant use of PHI. The BAA will cover a number of topics, including but not limited to: how PHI can be used, who can access it, and what protections will be in place to ensure that it is not accessed by unauthorized individuals.
Must cloud services be encrypted to be HIPAA compliant?
Cloud services do not have to be encrypted to be HIPAA compliant. HIPAA does not stipulate exact protections that need to be in place for a CE to be HIPAA compliant. Rather, it establishes a set of minimum standards which must be met. Encryption, for example, is an “addressable” requirement, meaning that if an equivalently good protection can be implemented, encryption itself is not required.
What is ePHI?
ePHI is electronic Protected Health Information that is created, received, stored, or transmitted in connection with a health insurance transaction for which the Department of Health and Human Services has developed standards. In most cases, ePHI consists of individually identifiable health information relating to an individual’s health condition, treatment for the condition, or payment for the treatment. ePHI can also include any individually identifiable non-health information when it is maintained in the same designated record set as ePHI.
