Share this article on:
Is Microsoft OneNote HIPAA compliant? Can OneNote be used by healthcare workers with protected health information without violating HIPAA Rules?
Microsoft OneNote is a digital note taking application that can be used on smartphones, tablets, and desktop computers. The application can be used to create, store, and share to do lists, screen grabs, and audio files.
Healthcare professionals will no doubt see the appeal of OneNote, but care must be taken when using the application to avoid violations of HIPAA Rules.
Before any software or cloud platform can be used in connection with any electronic protected health information (ePHI), it is first necessary to enter into a business associate agreement with the software/platform provider. If ePHI is to be used, adding it to the application or sharing data through it means the software/platform provider will be classed as a business associate. As such, they must ensure that appropriate security measures are incorporated into the platform to keep ePHI secure and prevent unauthorized access. Not all companies are willing to sign a BAA, although Microsoft does offer a BAA for many of its products.
Microsoft’s BAA covers Office 365, which includes OneNote and OneDrive for storing OneNote content. Data stored on OneDrive are protected by encryption, and Office 365 includes access controls and meets HIPAA auditing requirements. Access logs can be obtained from Microsoft on request.
Office 365 users are often targeted by cybercriminals seeking access to Office 365 credentials and the ePHI stored in office 365 accounts, so 2-factor authentication should be set up to prevent accounts from being accessed if credentials are compromised. Naturally, care should be taken sharing any data through either OneNote or OneDrive. ePHI should only be shared with individuals authorized to view the information.
Is Microsoft OneNote HIPAA Compliant?
So, is Microsoft OneNote HIPAA compliant? Provided a BAA has been obtained from Microsoft, OneNote can be HIPAA compliant. However, obtaining a BAA from Microsoft is just one element of HIPAA compliance. It is up to user to ensure that OneNote and associated products (Office 365, OneDrive) are configured correctly and are used in a HIPAA compliant manner.