Many covered entities want to take advantage of cloud storage services, but it is important to determine whether their use violates HIPAA Rules before they are used in connection with any PHI. In this post we explore whether OneDrive is HIPAA compliant and if it is a suitable cloud storage and sharing platform for use by healthcare organizations.
Many healthcare groups are already implementing Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a platform for saving, collaborating and sharing files.
HIPAA-Compliance Supported by Microsoft
Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be implemented and used with ePHI without violating HIPAA Rules. There is no problem with HIPAA-covered entities using OneDrive, provided certain conditions are met prior to it being used with ePHI.
Before any cloud service can be utilized in connection with files containing ePHI, HIPAA-covered entities must enter into a HIPAA-compliant business associate agreement (BAA) with the cloud service provider.
Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities. The BAA includes OneDrive for Business, along with Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.
As per the terms of its business associate agreement, Microsoft agrees to limit uses and disclosure of ePHI in accordance with the HIPAA Privacy Rule, implement safeguards to prevent unauthorized access to customers’ files, and report any breaches of customer accounts. Microsoft also guarantees that if any subcontractors are used, they will adhere with the same – or stricter– restrictions with respect to PHI. If the BAA is signed before the use of OneDrive for creating, saving, or sharing PHI, the service can be used without breaching HIPAA Rules.
Microsoft says that all proper security measures are included in OneDrive, and while HIPAA compliance certification has not been received, all of the services and software covered by the BAA have been separately reviewed as part of Microsoft’s ISO/IEC 27001 certification.
Appropriate security measures are included to meet the requirements of the HIPAA Security Rule, including the encryption of data at rest and in transit to the standards demanded by HIPAA. Microsoft has implemented 256-bit AES encryption and SSL/TLS connections use 2048-bit keys.
HIPAA Compliance Involves More Than Using ‘HIPAA-Compliant’ Services
However, just because Microsoft will sign a BAA, it does not mean OneDrive is automatically HIPAA compliant. Microsoft supports HIPAA compliance, but HIPAA compliance depends of the actions of those using it. As Microsoft says, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
Before using any cloud service, a HIPAA-covered entity should conduct a risk analysis and review the vendor’s provisions and policies. Access controls should be implemented to ensure only authorized individuals can upload files containing PHI and access any PHI in files stored or shared via the service. Strong passwords should be used that are difficult to guess and to limit the potential for brute force attacks to succeed.
External file sharing should be switched off to prevent employees from accidentally sharing files containing PHI with unauthorized individuals and access to OneDrive should be limited to trusted whitelisted networks.
Logging should be switched on to ensure organizations have visibility into what users are doing in relation to PHI, and when staff members no longer need access to OneDrive, such as when they leave their job or their role changes, access to OneDrive should be terminated immediately.
OneDrive can be used by healthcare companies without violating HIPAA Rules and Microsoft supports HIPAA compliance, but even when using a HIPAA compliant platform, it is still possible for HIPAA to be violated. With the above controls and training for any employee using the platform, risks of HIPAA violations can be reduced to a reasonable and acceptable level.