Is Microsoft OneDrive HIPAA Compliant?


Microsoft OneDrive is a cloud storage service that has seen its popularity rise in recent years. Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials now includes OneDrive Online, which is a convenient platform for storing and sharing files. It circumvents the traditional issues of data storage, including maintaining large databanks, which are costly to install and run.

Microsoft Supports HIPAA-Compliance

Generally, HIPAA-covered entities can use Microsoft OneDrive and still be compliant with the Act’s rules. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used in a safe and secure manner which maintains the integrity of ePHI.

However, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA).

Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities. It even offers a BAA through the Online Services Terms to make the process much more efficient. The BAA includes OneDrive for Business, as well as Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.

Under the terms of its business associate agreement, Microsoft agrees to place limitations on use and disclosure of ePHI. It further agrees to implement safeguards to prevent inappropriate use, report to consumers and provide access to PHI, on request, per the HIPAA Privacy Rule. Any subcontractors that Microsoft uses must comply with the same – or more stringent – restrictions and conditions with respect to PHI. All of this is agreed to when Microsoft signs the BAA. Provided this BAA is signed prior to the use of OneDrive for creating, storing, or sharing PHI, the service can be used without violating HIPAA Rules.

Microsoft explains that all appropriate security controls are included in OneDrive, and while HIPAA compliance certification has not been obtained, all the services and software covered by the BAA have been independently audited for the Microsoft ISO/IEC 27001 certification. Appropriate security controls are included to satisfy the requirements of the HIPAA Security Rule, including the encryption of data at rest and in transit to HIPAA standards. Microsoft uses 256-bit AES encryption and SSl/TLS connections are established using 2048-bit keys.

Remaining HIPAA-Compliant Using OneDrive

However, just because Microsoft will sign a BAA, it does not mean OneDrive is HIPAA compliant. There is more to compliance than using a specific software or cloud service; the user must utilise the software in a manner which ensures that HIPAA compliance is maintained. As Microsoft explains, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Prior to the use of any cloud service, a HIPAA-covered entity must conduct a risk analysis and assess the vendor’s provisions and policies. A risk management program must also be developed, using policies, procedures, and technologies to ensure risks are mitigated.

The CE must outline access policies, and security settings configured correctly. Strong passwords should be used, external file sharing should be disabled, access should be limited to trusted whitelisted networks, and PHI must only be shared with individuals authorized to view the information so that the CE does not violate HIPAA.

When PHI is shared, HIPAA’s “minimum necessary standard” applies. Logging should be enabled to ensure organizations have visibility into what users are doing with respect to PHI, and when employees no longer require access to OneDrive, such as when they leave the organization, access should be terminated immediately.

If all of these precautions are taken, then a CE can use OneDrive as a secure cloud storage device while remaining HIPAA compliant.