Is Microsoft OneDrive HIPAA Compliant?

Many organizations in the healthcare industry take advantage of cloud storage services because of their convenience and cost-effectiveness. Microsoft OneDrive is one of the most popular cloud storage services as it is included in all Microsoft business subscriptions; but is OneDrive HIPAA complaint and suitable for storing Protected Health Information in the cloud?

The answer to the question is OneDrive HIPAA compliant is that no cloud service – by itself – is HIPAA compliant. Compliance depends on the software’s capabilities to support compliance, how the capabilities are configured, and how the software is used. Additionally, in order to be HIPAA compliant, a Business Associate Agreement must be in place with the vendor.

OneDrive Supports HIPAA Compliance

OneDrive supports HIPAA compliance inasmuch some (but not all) Microsoft business plans include capabilities that can be configured to comply with HIPAA. Therefore, OneDrive can be described as being HIPAA compliant subject to which controls are included in the business package (i.e., identity management, access controls, event logs, etc.), and how the controls are configured and used. But it is not HIPAA compliant “out of the box”.

Therefore, if an organization subscribes to a Microsoft business plan that does not include the necessary controls to make OneDrive HIPAA compliant, there are three options. Either upgrade the existing plan to one which includes the necessary controls, purchase the controls as add-ons to bring the existing plan up to the required standard, or do not use Microsoft OneDrive to store and share files containing PHI.

How OneCloud is Used is Important

With regards to how OneDrive is used, once access, editing, and sharing permissions have been configured, it is important to be aware these configurations only work when there is an Internet connection to the cloud. Consequently, members of remote workforces need to be trained in what to do if there is no Internet connection or if they inadvertently create or edit a file containing PHI and save the file to a local device.

It is also important that members of the workforce have a channel of communication to raise compliance issues with someone responsible for HIPAA compliance. It can be the case that managers or IT helpdesks answer compliance questions with what they think is the right thing to do. However, if issues and concerns are resolved with shortcuts, shortcuts can become the cultural norm – which can be difficult to reverse without substantial retraining.

Microsoft’s Business Associate Agreement

When healthcare organizations subscribe to a Microsoft business plan or the Microsoft Cloud for Healthcare, a Business Associate Agreement is automatically included in the License Terms for Online Services. Because Microsoft provides standard, multi-tenanted services for all healthcare organizations, the company does not enter into individual agreements. Healthcare organizations have to accept Microsoft’s BAA as a condition of service.

As with so many areas of making OneDrive HIPAA compliant, it is important healthcare organizations review the BAA to ensure they agree with the terms as there are a few that may be contentious to some organizations (i.e., the lack of response to patient access requests). Any organizations unsure about what they are committing to by agreeing to Microsoft’s BAA – or concerned about any other requirements to make OneDrive HIPAA compliant – should seek professional compliance advice.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X