The answer to the question is OneDrive HIPAA compliant is that it can be. This is because compliance does not depend on the capabilities of an app or service, but rather whether the app or service is configured to support HIPAA compliance and is used in a compliant manner.
All Microsoft 365 and Office 365 business plans include OneDrive because it is a convenient cloud-based storage service that enables files to be accessed from any Internet-connected location and shared quickly and easily between individuals, teams, and collaborators.
For HIPAA Covered Entities and Business Associates, the question is OneDrive HIPAA compliant does not apply when the service is used to store files do not contain Protected Health Information (PHI) – although other laws may apply to how sensitive data is stored and shared.
However, if the storage service is used just to store one file containing PHI, it is necessary to make OneDrive HIPAA compliant. This is not simply a case of adjusting a few settings. There are several stages to making OneDrive HIPAA compliant – including which business plan the organization subscribes to.
Making OneDrive HIPAA Compliant
In order to make OneDrive HIPAA complaint, the service must be configured to comply with the standards of the Security Rule – i.e., information access management, integrity controls, contingency planning, audits logs, transmission security, etc.
Not all Microsoft 365 and Office 365 business plans include all the controls required to make OneDrive HIPAA compliant, and it make be necessary to purchase an add-on security plan or upgrade an existing plan to one with the required capabilities and controls.
Thereafter, once the necessary controls have been configured to comply with the standards of the Security Rule, it is important that members of the workforce with access to OneDrive are trained in how to use OneDrive in compliance with HIPAA.
Most members of the workforce will have little difficulty understanding the technicalities of using OneDrive in compliance with HIPAA. However, it is important workforce members understand not to save files with PHI in the titles or include PHI in the subject field of links to shared files.
Microsoft’s Business Associate Agreement
A number of sources discussing how to make OneDrive HIPAA compliant dedicate a lot of the discussion to entering into a Business Associate Agreement with Microsoft. However, a standard Business Associate Agreement is automatically applied by Microsoft when a healthcare organization subscribes to a Microsoft 365 or Office 365 business plan.
While the automatic application of a Business Associate Agreement for all “in-scope services” eliminates the administrative burden of having to ensure an agreement is in place before OneDrive is used to store or share PHI, it is important that Covered Entities and Business Associates read the terms of the agreement to understand the respective obligations.
It is also important to be aware that Microsoft will not change any part of the Agreement to suit an organization’s requirements. Therefore, if you don’t like the fact that Microsoft will not respond to patient access requests or will not report all security incidents to Covered Entities (as required by §164.314) you may need to find another cloud storage service provider.
Is OneDrive HIPAA Compliant? Conclusion
In conclusion, rather than being HIPAA compliant, Microsoft OneDrive supports HIPAA compliance. Thereafter it is the responsibility of the Covered Entity or Business Associate to configure the service to comply with the standards of the Security Rule, train members of the workforce on the compliant use of OneDrive, and agree to the terms of the Business Associate Agreement.
If you have any questions about which Microsoft business plans support HIPAA compliance, or how the components of each plan should be configured to support HIPAA compliance, you should speak with Microsoft customer services. If you have any questions about training your workforce or navigating Microsoft’s Business Associate Agreement, you should seek professional compliance advice.
OneDrive and HIPAA Compliance: FAQ
What could happen if a CE used OneDrive without a BAA?
Even though OneDrive has the necessary security protocols to ensure that it meets HIPAA’s minimum standards, it cannot be used in a HIPAA-compliant manner unless the covered entity has entered into a business associate agreement with Microsoft. Using any Microsoft product in conjunction with PHI is considered a HIPAA violation, and may result in financial penalties from the Department for Health and Human Services’ Office for Civil Rights.
What should be included in a BAA?
BAAs are written agreements that detail the responsibilities held by both the CE and BA in relation to the HIPAA-compliant use of PHI. The BAA will cover a number of topics, including but not limited to: how PHI can be used, who can access it, and what protections will be in place to ensure that it is not accessed by unauthorized individuals.
Must cloud services be encrypted to be HIPAA compliant?
HIPAA does not stipulate exact protections that need to be in place for a CE to be HIPAA compliant. Rather, it establishes a set of minimum standards which must be met. Encryption, for example, is an “addressable” requirement, meaning that if an equivalently good protection can be implemented, encryption itself is not required.
What is ePHI?
ePHI is simply electronic Personal Health Information (PHI). HIPAA defines PHI as any information that is used in the provision of healthcare, payment for that healthcare, or other healthcare operations that contains one of 18 identifiers that can be used to trace the identity of an individual.