Is OneDrive HIPAA Compliant?
Microsoft OneDrive is HIPAA compliant provided covered entities subscribe to a plan that supports OneDrive HIPAA compliance, agree to the terms of Microsoft’s Business Associate (Data Protection) Addendum, and configure the file storage service to be used in compliance with HIPAA.
Microsoft OneDrive is a convenient file storage service that facilitates document sharing and collaboration. Many healthcare organizations subscribe to a Microsoft or Office 365 business plan that includes OneDrive; and, when the file storage service is used for administrative and operational purposes that do not involve disclosures of Protected Health Information (PHI), HIPAA compliance is not an issue.
However, when the service is used to store and share files that contain PHI, it is important OneDrive is HIPAA compliant. This means that the Microsoft or Office 365 business plan must include the capabilities to support HIPAA compliance, and that the capabilities are configured to ensure OneDrive is used in compliance with HIPAA. It is also important a Business Associate Agreement is in place.
Microsoft’s Business Associate Agreement
Before OneDrive or any cloud service can be used to create, store, or send files containing electronic PHI, HIPAA-covered entities must enter into a HIPAA-compliant Business Associate Agreement (BAA) with the vendor of the service – in this case Microsoft. Microsoft’s BAA is a one-size-fits-all “Data Protection Addendum” for all in-scope services and for all customers who identify as being covered by HIPAA.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In most cases, agreeing to the Data Protection Addendum is automatic when a covered entity or business associate subscribes to a qualifying enterprise or business plan because the Data Protection Addendum is an addendum to the License Terms for Online Services rather than a separate Agreement. Nonetheless, it is important compliance officers read the terms of the Addendum before using OneDrive to store PHI.
Under the terms of the Addendum, Microsoft agrees to limit uses and disclosures of PHI to those necessary and implement safeguards to prevent unauthorized access. However, Microsoft will not respond to patient access requests (because PHI is not maintained by Microsoft in designated record sets) and will not report security incidents that do not result in a data breach to Covered Entities.
Microsoft explains that all appropriate security controls including the encryption of data at rest and in transit to HIPAA standards are included in OneDrive; and, while HIPAA compliance certification has not been obtained, the in-scope services covered by the Addendum have been independently audited for ISO/IEC 27001 certification to satisfy the requirements of the HIPAA Security Rule.
Making OneDrive HIPAA Compliant
Just because Microsoft automatically includes a Business Associate Agreement in business plan subscriptions, it does not make the use of OneDrive HIPAA compliant. As Microsoft explains, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
Making Microsoft OneDrive HIPAA compliant is dependent on subscribing to an enterprise or business plan that includes the security measures required for complying with the Security Rule (access controls, audit logs, automatic disconnect, etc.). Not all plans include all the features necessary to comply with the Security Rule, so it may be necessary to purchase add-ons or configure other software or devices.
As well as configuring OneDrive for Business to comply with the Security Rule, it is necessary to train members of the workforce on how to use OneDrive to avoid inadvertent policy violations (i.e., saving a document to a local device rather than saving it to OneDrive). This should be included in security and awareness training, and it may also be necessary for Security Officers to monitor compliance with HIPAA training.
In answer to question, “Is Microsoft OneDrive HIPAA compliant?”, OneDrive supports HIPAA compliance, but the compliant configuration and use of the service – and any integrations with OneDrive – is what determines compliance. If your organization is unsure about how to configure and use OneDrive in compliance with HIPAA, it is recommended you seek professional compliance advice.
Is OneDrive HIPAA Compliant? FAQs
Is it a HIPAA violation to use OneDrive without a BAA?
It is a HIPAA violation to use OneDrive without a BAA if OneDrive is being used to store or share PHI. A BAA is required by both the Security Rule and the Privacy Rule (45 CFR §164.308(b) and §164.502(e)) before PHI is disclosed to a cloud service provider – event if the PHI is encrypted and the cloud service provider cannot access it because the covered entity maintains the decryption key.
Which business plans support Microsoft OneDrive HIPAA compliance?
Most business plans support Microsoft OneDrive HIPAA compliance, although it may be necessary to subscribe to a Security Package or compliance add-on if a plan lacks capabilities such as identity management or access reviews. Depending on which capabilities your organization requires to make OneDrive HIPAA compliant, it may be less expensive to upgrade an existing plan than purchase add-ons.
Why will Microsoft not sign my organization’s BAA?
Microsoft will not sign your organization’s BAA because it offers “hyperscale, multi-tenanted services that are standardized for all customers”. Due to the number of HIPAA covered entities and business associates that subscribe to Microsoft business plans, it would be impractical for Microsoft to adopt its services and tailor its BAAs to meet the requirements of each individual customer.
How could a healthcare organization using OneDrive violate the Privacy Rule?
A healthcare organization using OneDrive could violate the Privacy Rule if, for example, it applied such stringent access controls to stored data it was difficult to comply with patient access requests within 30 days. This issue is not the fault of OneDrive, but rather how the service has been configured. It could occur with any cloud or on-premises storage solution.
If you have difficulty making Microsoft OneDrive HIPAA compliant, who should you approach for help?
If you have difficulty making Microsoft OneDrive HIPAA compliant, who you should approach for help depends on whether you are struggling with compliance or technical issues. If you are struggling with compliance issues, you should approach a HIPAA compliance specialist. If you are struggling with technical issues, you should approach Microsoft customer support.
