Is Microsoft OneDrive HIPAA Compliant?

Cloud storage offers a number of benefits to companies in many industries, but can covered entities in the healthcare industry use Microsoft OneDrive? Is OneDrive HIPAA compliant?

Microsoft Office 365 Business Essentials is a standard software package that is successfully used by healthcare providers. It also includes an online exchange for email. Another feature of Office 365 Business Essentials is OneDrive Online, a cloud storage platform for saving or transferring files.

Microsoft supports HIPAA compliance

HIPAA-covered entities are well within their rights to use OneDrive. Microsoft software supports HIPAA compliance, with OneDrive and other cloud services regularly being used without breaking any HIPAA rules.

However, for this to be the case, the HIPAA-covered entity must enter into a business associate agreement (BAA) with the provider of the cloud service before any protected health information (PHI) is used with the service in any way: created, saved, or sent.

Microsoft was among the first providers of cloud storage to accept entering into a BAA with HIPAA-covered entities and their BAA is proposed in their Online Service Terms. As well as OneDrive for Business, a number of services are covered by these terms, including Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.

As part of the terms of their BAA, Microsoft is bound to limit use and disclosure of PHI, to put protections in place to prohibit inappropriate use, and to provide consumers with records and access to PHI if requested, in line with the HIPAA Privacy Rule. Microsoft also engage to hold any subcontractors employed to the same or higher standards when dealing with PHI.

So long as the BAA is signed before OneDrive is used to create, save, or transfer PHI, it can be used in compliance with HIPAA Rules.

Even though Microsoft OneDrive has no HIPAA compliance certification, Microsoft assures users that it contains all necessary security measures and that all programs included in the BAA have been independently verified to meet Microsoft ISO/IEC 27001 certification.

Sufficient measures for compliance with the HIPAA Security Rule, such as encryption of data at rest and in transit, also come as part of the software. Data is protected with 256-bit AES encryption and 2048-bit keys are used when establishing SSI/TLS connections.

HIPAA Compliance Needs More Than ‘HIPAA Compliant’ Software

Even if software providers sign a BAA, this does not automatically mean that all activity on their platform is now HIPAA complaint. Services such as OneDrive may support HIPAA compliance, but they can only be HIPAA compliant if they are used in a HIPAA compliant manner. Microsoft, for example, states “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

An important task all HIPAA covered entities must complete before using any cloud platform is a detailed risk analysis to examine the developer’s policies and provisions. A risk management program should also be created to introduce processes and tools to limit risk.

Security configurations and access authorizations must be set. Basic measures should be introduced, such as the use of strong passwords; the disabling of external file sharing; the limitation of access only to trusted whitelisted networks; and the sharing of PHI only with authorized individuals. When PHI is shared, the minimum necessary standard should be adhered to. Access logs should record user activity and authorizations should be updated as soon as a user no longer requires access to the information, for example if they leave the organization.

After all this, can we say that OneDrive is HIPAA compliant? The answer is both yes and no. It is possible to use OneDrive in a manner consistent with HIPAA Rules, but the covered entity must ensure that settings and user behavior remain HIPAA compliant.