With the proliferation of cloud storage coming at the same time that HIPAA Compliance Rules have become increasingly strict in order to secure private data, organizations are beginning to examine if Microsoft OneDrive is OneDrive HIPAA compliant?
A multitude of healthcare groups are already using Microsoft Office 365 Business Essentials, including Microsoft Exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a user friendly platform for storing and sharing information and files.
There is certainly no issue with HIPAA-covered bodies using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without breaching HIPAA Rules.
That said, before OneDrive – or any cloud service – can be implemented to create, store, or send files storing the electronic protected health information of patients, HIPAA-covered entities must receive and sign a HIPAA-compliant business associate agreement (BAA).
Microsoft was one of the first wave cloud service suppliers to agree a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA incorporates usage of OneDrive for Business, as well as Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.
AS per the terms of its business associate agreement, Microsoft agrees to place restrictions on the use and disclosure of ePHI, implement safeguards to stop inappropriate use, report to consumers and provide access to PHI, on request, per the HIPAA Privacy Rule. Microsoft will also ensure that if any subcontractors are employed, they will comply with the same – or more stringent – restrictions and conditions with respect to PHI.
Provided the BAA is completed prior to the use of OneDrive for creating, storing, or sharing PHI, the service can be used without breaching HIPAA Rules.
Microsoft explains that all required security controls are included in OneDrive, and while HIPAA compliance certification has not been awarded, all of the services and software covered by the BAA have been independently audited for the Microsoft ISO/IEC 27001 certification.
Appropriate security controls are incorporated to meet the requirements of the HIPAA Security Rule, including the encryption of data at rest and in transit to HIPAA standards. Microsoft uses 256-bit AES encryption and SSl/TLS connections are put in place using 2048-bit keys.
However, the fact that Microsoft will sign a BAA does not mean OneDrive is HIPAA compliant. There is more to compliance than putting a specific software or cloud service in use. Microsoft supports HIPAA compliance, but HIPAA compliance depends of the actions of the people using it. As Microsoft says, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
Prior to the implementation of any cloud service, a HIPAA-covered body must complete a risk analysis and assess the vendor’s provisions and policies. A risk management program must also be formulated, using policies, procedures, and technologies to ensure risks are mitigated.
Access policies must be established and security measures configured properly. Strong passwords should be used, external file sharing should be switched off, access should be limited to trusted whitelisted networks, and PHI must only be shared with people authorized to view the information. When PHI is shared, the minimum necessary standard is applicable. Logging should be switched on to ensure organizations have visibility into what users are doing in relation to PHI, and when member of staff no longer require access to OneDrive, such as when they leave the organization, access should be disabled immediately.
Microsoft OneDrive can be implemented without breaching HIPAA Rules and Microsoft supports HIPAA compliance, but ultimately HIPAA compliance is down to the covered body, how the service is configured and put into action.