Is OneDrive HIPAA Compliant?

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but it is important to consider if OneDrive is HIPAA compliant before you use it.

Many healthcare groups are already implementing Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a platform for saving, collaborating and sharing files.

HIPAA-Compliance Supported by Microsoft

There is no problem with HIPAA-covered bodies using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be implanted by a company without violating HIPAA Rules.

However, before OneDrive – or any cloud service – can be utlized to create, save, or send files holding the electronic protected health information of patients, HIPAA-covered entities must complete and sign a HIPAA-compliant business associate agreement (BAA).

Microsoft was one of the initial cloud service providers to agree to complete and sign a BAA with HIPAA-covered entities, and provides a BAA through the Online Services Terms. The BAA includes OneDrive for Business, along with Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.

As per the terms of its business associate agreement, Microsoft agrees to put in place limitations on use and disclosure of ePHI, implement safeguards to stop inappropriate use, report to consumers and allow access to PHI, on request, per the HIPAA Privacy Rule. Microsoft will also guarantee that if any subcontractors are used, they will adhere with the same – or stricter– restrictions and conditions with respect to PHI.

If the BAA is signed before to the use of OneDrive for creating, saving, or sharing PHI, the service can be used without breaching HIPAA Rules.

Microsoft says that all proper security measures are included in OneDrive, and while HIPAA compliance certification has not been received, all of the services and software covered by the BAA have been separately reviewed for the Microsoft ISO/IEC 27001 certification.

Appropriate security measures are included to meet the requirements of the HIPAA Security Rule, including the encryption of data at rest and on the move to HIPAA standards. Microsoft implemented 256-bit AES encryption and SSl/TLS connections are achieved using 2048-bit keys.

HIPAA Compliance Involves More Than Using ‘HIPAA-Compliant’ Services

However, just because Microsoft will sign a BAA, it does not mean OneDrive is automatically HIPAA compliant. There is more to compliance than using a particular software or cloud service. Microsoft supports HIPAA compliance, but HIPAA compliance depends of the actions of those using it. As Microsoft says, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Before beginning the use of any cloud service, a HIPAA-covered body must conduct a risk analysis and review the vendor’s provisions and policies. A risk management program must also be formulated, using policies, procedures, and technologies to ensure risks are minimized.

Access policies must be formulated and security settings configured properly. Strong passwords should be set up, external file sharing should be switched off, access should be limited to trusted whitelisted networks, and PHI must only be sent to individuals authorized to view the data. When PHI is shared, the minimum necessary standard applies. Logging should be switched on to ensure organizations have visibility into what users are doing in relation to PHI, and when staff members no longer need access to OneDrive, such as when they leave their job, access should be denied immediately.

OneDrive can be used by a company without violating HIPAA Rules and Microsoft supports HIPAA compliance, but the upshot is that HIPAA compliance is down to the covered entity, how the service is implemented and used.