HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Microsoft OneNote HIPAA Compliant?

Is Microsoft OneNote HIPAA compliant? Can OneNote be used by healthcare workers with protected health information without violating HIPAA Rules?

Microsoft OneNote is a digital note taking application that can be used on smartphones, tablets, and desktop computers. The application can be used to create, store, and share to do lists, screen grabs, and audio files.

Healthcare professionals will no doubt see the appeal of OneNote, but care must be taken when using the application to avoid violations of HIPAA Rules.

Before any software or cloud platform can be used in connection with any electronic protected health information (ePHI), it is first necessary to enter into a business associate agreement with the software/platform provider. If ePHI is to be used, adding it to the application or sharing data through it means the software/platform provider will be classed as a business associate. As such, they must ensure that appropriate security measures are incorporated into the platform to keep ePHI secure and prevent unauthorized access. Not all companies are willing to sign a BAA, although Microsoft does offer a BAA for many of its products.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Microsoft’s BAA covers Office 365, which includes OneNote and OneDrive for storing OneNote content. Data stored on OneDrive are protected by encryption, and Office 365 includes access controls and meets HIPAA auditing requirements. Access logs can be obtained from Microsoft on request.

Office 365 users are often targeted by cybercriminals seeking access to Office 365 credentials and the ePHI stored in office 365 accounts, so 2-factor authentication should be set up to prevent accounts from being accessed if credentials are compromised. Naturally, care should be taken sharing any data through either OneNote or OneDrive. ePHI should only be shared with individuals authorized to view the information.

Is Microsoft OneNote HIPAA Compliant?

So, is Microsoft OneNote HIPAA compliant? Provided a BAA has been obtained from Microsoft, OneNote can be HIPAA compliant. However, obtaining a BAA from Microsoft is just one element of HIPAA compliance. It is up to user to ensure that OneNote and associated products (Office 365, OneDrive) are configured correctly and are used in a HIPAA compliant manner.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.