Is Microsoft OneNote HIPAA Compliant?
Microsoft OneNote is HIPAA compliant and can be used to create, store, and share Protected Health Information (PHI) when an organization subscribes to a Microsoft 365 plan that supports HIPAA compliance and the OneNote app if configured to comply with the Security Rule. If these conditions are not met, organizations can still use OneNote, but not to create, store, or share PHI.
Microsoft OneNote is a digital note taking application that can be used on smartphones, tablets, and desktop computers. The application can be used to create, store, and share to do lists, screen grabs, and audio files. Healthcare professionals will no doubt see the appeal of OneNote, but care must be taken when using the application to avoid violations of HIPAA Rules.
Before any software or cloud platform can be used in connection with any electronic PHI (ePHI), it is first necessary to enter into a business associate agreement with the software/platform provider. If ePHI is to be used, adding it to the application or sharing data through it means the software/platform provider will be classed as a business associate. As such, they must ensure that appropriate security measures are incorporated into the platform to keep ePHI secure and prevent unauthorized access. Not all companies are willing to sign a BAA, although Microsoft does offer a BAA for many of its products.
Microsoft’s BAA covers many services in Microsoft 365 business plans – including OneNote and OneDrive for storing OneNote content. Data stored on OneDrive are protected by encryption, and Microsoft 365 business plans include access controls and meets HIPAA auditing requirements. Access logs can be obtained from Microsoft on request.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Microsoft 365 users are often targeted by cybercriminals seeking access to login credentials and the ePHI stored in Microsoft 365 accounts, so 2-factor authentication should be set up to prevent accounts from being accessed if credentials are compromised. Naturally, care should be taken sharing any data through either OneNote or OneDrive. ePHI should only be shared with individuals authorized to view the information.
Is Microsoft OneNote HIPAA Compliant?
So, is Microsoft OneNote HIPAA compliant? Provided a BAA has been obtained from Microsoft, OneNote can be HIPAA compliant. However, obtaining a BAA from Microsoft is just one element of HIPAA compliance. It is up to each organization to subscribe to a Microsoft 365 plan that supports HIPAA compliance and to ensure that OneNote and associated products are configured correctly and are used in a HIPAA compliant manner.
