Is Microsoft OneDrive HIPAA Compliant?

by

Microsoft OneDrive can be used in a HIPAA-compliant manner when a HIPAA Covered Entity or Business Associate subscribes to a plan that supports HIPAA compliance, agrees to Microsoft’s Business Associate (Data Protection) Addendum, and configures and uses OneDrive to meet HIPAA requirements.

OneDrive is a file storage service used for document sharing and collaboration. When OneDrive is used for administrative and operational purposes that do not involve disclosures of Protected Health Information, HIPAA compliance is not implicated by the storage activity. When OneDrive is used to store or share files that contain Protected Health Information, the subscription plan and configuration determine whether the service can be used in compliance with the HIPAA Security Rule, the HIPAA Privacy Rule, and related requirements.

Microsoft’s Business Associate Agreement for in-scope services is provided through a standardized Data Protection Addendum for customers that identify as being covered by HIPAA. For qualifying enterprise and business subscriptions, acceptance of the Data Protection Addendum is commonly automatic because it is an addendum to the License Terms for Online Services. Under the Addendum, Microsoft limits uses and disclosures of Protected Health Information and implements safeguards to prevent unauthorized access. The Addendum also describes operational limits, including that Microsoft does not respond to patient access requests and does not report security incidents that do not result in a data breach.

Accredited HIPAA Certification

A Business Associate Agreement and a business subscription do not, by themselves, make OneDrive compliant for Protected Health Information. HIPAA compliance depends on selecting a plan that includes security measures required for the HIPAA Security Rule and configuring features such as access controls and audit logging. Some plans may require add-ons or other configurations to support capabilities such as identity management or access reviews. Workforce training is also required so personnel use OneDrive in a manner consistent with internal policies and do not create unauthorized copies of data outside the controlled environment.

OneDrive supports HIPAA compliance, but compliance is determined by the organization’s compliance program, configuration decisions, and the way OneDrive and any integrations are used for Protected Health Information.

Organizations that do not subscribe to an E5 or F5 business plan may need to purchase an add-on security or compliance plan to access the controls necessary to comply with HIPAA. Alternatively, if the

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]