Is Microsoft OneDrive HIPAA Compliant?


Although OneDrive can be configured to support HIPAA compliance, there is more to making OneDrive HIPAA compliant than adjusting a few settings and entering into a Business Associate Agreement with Microsoft.

Many healthcare organizations subscribe to an Office 365 or Microsoft 365 business plan to access apps and services such as Word, Excel, and PowerPoint. OneDrive is included in most business plans because the cloud-based storage service provides an easy and convenient way to access and share files from any Internet-connected location.

When apps and services are used to create, store, or transmit Protected Health Information, it is necessary for the apps and services to be configured to comply with the HIPAA Security Rule. It is also necessary for the apps and services to be used in compliance with the HIPAA Privacy Rule, and for a Business Associate Agreement to exist between the organization and the software vendor.

When a healthcare organization subscribes to an Office 365 or Microsoft 365 business plan, Microsoft’s Business Associate Agreement is applied automatically. Therefore, the only thing a healthcare organization has to do to make OneDrive HIPAA compliant is to ensure safeguards such as access controls and audits logs are activated and staff are provided with adequate training.

The Challenge of Making OneDrive HIPAA Compliant

Making OneDrive HIPAA compliant is not particularly challenging for Covered Entities and Business Associates that subscribe to Microsoft’s top-of-the-market plans for business because the top-of-the-market plans include all the controls necessary to support HIPAA compliance. The controls only need be configured to comply with the Security Rule for OneDrive to be HIPAA compliant.

Organizations that do not subscribe to an E5 or F5 business plan may need to purchase an add-on security or compliance plan to access the controls necessary to comply with HIPAA. Alternatively, if the organization can take advantage of the additional apps and services in a top-of-the-market plan, it may be more cost-efficient to upgrade an existing plan to an E5 or F5 plan.

Potentially more challenging is training members of the workforce with access to OneDrive how to use the cloud storage service in compliance with HIPAA. The challenge is not necessarily due to members of the workforce failing to comply with Security Rule standards (i.e., by sharing login credentials), but more likely due to a failure to comply with the Privacy Rule.

In theory, Privacy Rule violations can occur when the title of a file includes PHI or PHI is used in the subject line of a link sharing a document stored in OneDrive. This is more likely to occur in the workplaces of Business Associates, whose workforce may not understand what PHI is because Business Associates are only required to provide security and awareness training.

Conclusion: Make Sure You Use OneDrive in Compliance with HIPAA

In most cases, ensuring a software solution is HIPAA compliant involves entering into a Business Associate Agreement with the software vendor, configuring the solution to comply with the safeguards of the Security Rule, and training members of the workforce to use the software solution in compliance with HIPAA. With OneDrive, the process is a little different.

As mentioned previously, healthcare organizations that subscribe to a Microsoft business account automatically enter into as Business Associate Agreement with Microsoft – regardless of whether any of the apps or “in-scope services” are going to be used to collect, store, or transmit PHI, and regardless of whether the plan includes the controls necessary to support compliance.

It is not difficult to purchase add-ons to ensure the necessary access controls and audit logs (etc.) can be configured so OneDrive complies with HIPAA, and potentially more of a challenge is ensuring members of the workforce use the cloud storage service compliantly. Therefore, if you have any doubts that your organization is using OneDrive in compliance with HIPAA, it is advisable to seek professional compliance advice.