Can HIPAA-Covered Entities Use OneDrive?

It is a common practice today for covered entities to use cloud storage services. Is Microsoft OneDrive HIPAA compliant? Can it be used by covered entities? Many healthcare organizations are actually already using Microsoft Office 365 Business Essentials. They use the included exchange online for email and OneDrive Online for storing and sharing files.

Microsoft OneDrive supports HIPAA-compliance and there is no HIPAA Rules violated when using the system. It can be used to create, store and send files that contain patients’ electronic protected health information (ePHI). However, HIPAA-covered entities must first have a signed HIPAA-compliant business associate agreement (BAA) prior to using OneDrive.

Microsoft was one of the cloud service providers that agreed to sign a BAA with HIPAA-covered entities. The BAA is in fact offered through the Online Services Terms. The BAA applies to the following Microsoft Services: OneDrive for Business, Azure, Azure Government, Dynamics 365, Cloud App Security, Microsoft Fow, Office 365, Intune Online Services, Power BI, PowerApps and Visual Studio Team.

Following the terms of the BAA, Microsoft agrees to:

  • set limitations on use and disclosure of ePHI
  • implement safeguards to stop inappropriate data use
  • report and provide consumers access to ePHI upon request as per the HIPAA Privacy Rule

The same or even stricter rules will apply with respect to PHI if subcontractors are used. Microsoft states that it has not secured a HIPAA compliance certification. However, all the required security controls such as data encryption at rest and in transit are included in OneDrive to satisfy the HIPAA Security Rule. All services and software included in the BAA had been audited for Microsoft ISO/IEC 27001 certification as well.

To further clarify the HIPAA compliance of OneDrive, Microsoft emphasized that signing the BAA is not all that is needed. Users of Microsoft services and software are responsible for making sure that the program configuration and use are compliant with HIPAA and the HITECH Act.

A HIPAA-covered entity need to do a risk analysis and evaluate the provisions and policies of the vendor before using any cloud service. It must develop a risk management program that aligns with the policies, procedures and technologies. Some of the things that a HIPAA-covered entity need to do to ensure compliance are:

  • Use only strong passwords
  • Disable external file sharing
  • Limit access to trusted whitelisted networks only
  • PHI sharing must be with authorized individuals only
  • Automatic termination of access when employees no longer use OneDrive