Many covered entities want to take advantage of cloud storage services, but it is important to determine whether their use violates HIPAA Rules before they are used in connection with any PHI. In this post we explore whether OneDrive is HIPAA compliant and if it is a suitable cloud storage and sharing platform for use by healthcare organizations.
Many healthcare groups are already implementing Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a platform for saving, collaborating and sharing files.
HIPAA-Compliance Supported by Microsoft
Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be implemented and used with ePHI without violating HIPAA Rules. There is no problem with HIPAA-covered entities using OneDrive, provided certain conditions are met prior to it being used with ePHI.
Before any cloud service can be utilized in connection with files containing ePHI, HIPAA-covered entities must enter into a HIPAA-compliant business associate agreement (BAA) with the cloud service provider.
Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities. The BAA includes OneDrive for Business, along with Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.
As per the terms of its business associate agreement, Microsoft agrees to limit uses and disclosure of ePHI in accordance with the HIPAA Privacy Rule, implement safeguards to prevent unauthorized access to customers’ files, and report any breaches of customer accounts. Microsoft also guarantees that if any subcontractors are used, they will adhere with the same – or stricter– restrictions with respect to PHI. If the BAA is signed before the use of OneDrive for creating, saving, or sharing PHI, the service can be used without breaching HIPAA Rules.
Microsoft says that all proper security measures are included in OneDrive, and while HIPAA compliance certification has not been received, all of the services and software covered by the BAA have been separately reviewed as part of Microsoft’s ISO/IEC 27001 certification.
Appropriate security measures are included to meet the requirements of the HIPAA Security Rule, including the encryption of data at rest and in transit to the standards demanded by HIPAA. Microsoft has implemented 256-bit AES encryption and SSL/TLS connections use 2048-bit keys.
HIPAA Compliance Involves More Than Using ‘HIPAA-Compliant’ Services
However, just because Microsoft will sign a BAA, it does not mean OneDrive is automatically HIPAA compliant. Microsoft supports HIPAA compliance, but HIPAA compliance depends of the actions of those using it. As Microsoft says, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
Before using any cloud service, a HIPAA-covered entity should conduct a risk analysis and review the vendor’s provisions and policies. Access controls should be implemented to ensure only authorized individuals can upload files containing PHI and access any PHI in files stored or shared via the service. Strong passwords should be used that are difficult to guess and to limit the potential for brute force attacks to succeed.
External file sharing should be switched off to prevent employees from accidentally sharing files containing PHI with unauthorized individuals and access to OneDrive should be limited to trusted whitelisted networks.
Logging should be switched on to ensure organizations have visibility into what users are doing in relation to PHI, and when staff members no longer need access to OneDrive, such as when they leave their job or their role changes, access to OneDrive should be terminated immediately.
OneDrive can be used by healthcare companies without violating HIPAA Rules and Microsoft supports HIPAA compliance, but even when using a HIPAA compliant platform, it is still possible for HIPAA to be violated. With the above controls and training for any employee using the platform, risks of HIPAA violations can be reduced to a reasonable and acceptable level.
OneDrive and HIPAA Compliance: FAQ
What could happen if a CE used OneDrive without a BAA?
Even though OneDrive has the necessary security protocols to ensure that it meets HIPAA’s minimum standards, it cannot be used in a HIPAA-compliant manner unless the covered entity has entered into a business associate agreement with Microsoft. Using any Microsoft product in conjunction with PHI is considered a HIPAA violation, and may result in financial penalties from the Department for Health and Human Services’ Office for Civil Rights.
What should be included in a BAA?
BAAs are written agreements that detail the responsibilities held by both the CE and BA in relation to the HIPAA-compliant use of PHI. The BAA will cover a number of topics, including but not limited to: how PHI can be used, who can access it, and what protections will be in place to ensure that it is not accessed by unauthorized individuals.
Must cloud services be encrypted to be HIPAA compliant?
HIPAA does not stipulate exact protections that need to be in place for a CE to be HIPAA compliant. Rather, it establishes a set of minimum standards which must be met. Encryption, for example, is an “addressable” requirement, meaning that if an equivalently good protection can be implemented, encryption itself is not required.
What is ePHI?
ePHI is simply electronic Personal Health Information (PHI). HIPAA defines PHI as any information that is used in the provision of healthcare, payment for that healthcare, or other healthcare operations that contains one of 18 identifiers that can be used to trace the identity of an individual.