Is OneDrive HIPAA Compliant? - The HIPAA Guide (2024)

Table of Contents
Making OneDrive HIPAA Compliant Microsoft’s Business Associate Agreement Is OneDrive HIPAA Compliant? Conclusion OneDrive and HIPAA Compliance: FAQ What could happen if a CE used OneDrive without a BAA? What should be included in a BAA? Must cloud services be encrypted to be HIPAA compliant? What is ePHI?

Is OneDrive HIPAA Compliant? - The HIPAA Guide (1)

OneDrive is HIPAA compliant and can be used to store, sync, and share files containing Protected Health Information provided organizations subscribe to a Microsoft 365 or Office 365 plan that supports HIPAA compliance and the file storage system is configured to comply with the Security Rule’s safeguards. It will also be necessary to enter into a Business Associate Agreement with Microsoft to make the use of OneDrive HIPAA compliant.

All Microsoft 365 and Office 365 business plans include OneDrive because it is a convenient cloud-based storage service that enables files to be accessed from any Internet-connected location and shared quickly and easily between individuals, teams, and collaborators.

For HIPAA covered entities and business associates, the question is OneDrive HIPAA compliant does not apply when the service is used to store files that do not contain Protected Health Information (PHI) – although other laws may apply to how sensitive data is stored and shared.

However, if the storage service is used just to store one file containing PHI, it is necessary to make OneDrive HIPAA compliant. This is not simply a case of adjusting a few settings. There are several stages to making OneDrive HIPAA compliant – including which business plan the organization subscribes to.

Get the FREE
HIPAA Compliance
Email Checklist

Learn How To Prevent All Email Related HIPAA Violations

Immediate Access

Privacy Policy

See Also
Comparison between OneDrive for Business and SharePoint

Making OneDrive HIPAA Compliant

In order to make OneDrive HIPAA complaint, the service must be configured to comply with the standards of the Security Rule – i.e., information access management, integrity controls, contingency planning, audits logs, transmission security, etc.

Not all Microsoft 365 and Office 365 business plans include all the controls required to make OneDrive HIPAA compliant, and it may be necessary to purchase an add-on security plan or upgrade an existing plan to one with the required capabilities and controls.

Thereafter, once the necessary controls have been configured to comply with the standards of the Security Rule, it is important that members of the workforce with access to OneDrive are trained in how to use OneDrive in compliance with HIPAA.

Most members of the workforce will have little difficulty understanding the technicalities of using OneDrive in compliance with HIPAA. However, it is important workforce members understand not to save files with PHI in the titles or include PHI in the subject field of links to shared files.

Microsoft’s Business Associate Agreement

A number of sources discussing how to make OneDrive HIPAA compliant dedicate a lot of the discussion to entering into a Business Associate Agreement with Microsoft. However, a standard Business Associate Agreement is automatically applied by Microsoft when a healthcare organization subscribes to a Microsoft 365 or Office 365 business plan.

While the automatic application of a Business Associate Agreement for all “in-scope services” eliminates the administrative burden of having to ensure an agreement is in place before OneDrive is used to store or share PHI, it is important that covered entities and business associates read the terms of the agreement to understand the respective obligations.

It is also important to be aware that Microsoft will not change any part of the Agreement to suit an organization’s requirements. Therefore, if you don’t like the fact that Microsoft will not respond to patient access requests or will not report all security incidents to covered entities (as required by §164.314) you may need to find another cloud storage service provider.

Is OneDrive HIPAA Compliant? Conclusion

In conclusion, rather than being HIPAA compliant, Microsoft OneDrive supports HIPAA compliance. Thereafter it is the responsibility of the covered entity or business associate to configure the service to comply with the standards of the Security Rule, train members of the workforce on the compliant use of OneDrive, and agree to the terms of the Business Associate Agreement.

If you have any questions about which Microsoft business plans support HIPAA compliance, or how the components of each plan should be configured to support HIPAA compliance, you should speak with Microsoft customer services. If you have any questions about training your workforce or navigating Microsoft’s Business Associate Agreement, you should seek professional compliance advice.

OneDrive and HIPAA Compliance: FAQ

What could happen if a CE used OneDrive without a BAA?

What could happen if a CE used OneDrive without a BAA depends on whether OneDrive is being used to store, sync, and share ePHI. If ePHI is being disclosed to Microsoft, it is a violation of HIPAA for which the CE would be liable for. (It is also a breach of Microsoft’s terms of service that could result in the termination of service). If no ePHI is being disclosed to Microsoft, it does not matter if OneDrive is used without a BAA,

What should be included in a BAA?

What should be included in a BAA depends on the service being provided for or on behalf of a CE. BAAs are written agreements that detail the responsibilities held by both the CE and BA in relation to the HIPAA-compliant use of PHI. The BAA will cover a number of topics, including but not limited to: how PHI can be used, who can access it, and what protections will be in place to ensure that it is not accessed by unauthorized individuals.

Must cloud services be encrypted to be HIPAA compliant?

Cloud services do not have to be encrypted to be HIPAA compliant. HIPAA does not stipulate exact protections that need to be in place for a CE to be HIPAA compliant. Rather, it establishes a set of minimum standards which must be met. Encryption, for example, is an “addressable” requirement, meaning that if an equivalently good protection can be implemented, encryption itself is not required.

What is ePHI?

ePHI is electronic Protected Health Information that is created, received, stored, or transmitted in connection with a health insurance transaction for which the Department of Health and Human Services has developed standards. In most cases, ePHI consists of individually identifiable health information relating to an individual’s health condition, treatment for the condition, or payment for the treatment. ePHI can also include any individually identifiable non-health information when it is maintained in the same designated record set as ePHI.

Is OneDrive HIPAA Compliant? - The HIPAA Guide (2024)
Top Articles
Penny Cleaning Science Experiment: What Cleans Pennies Best?
XRP Price Prediction: Rare Bent Fork Pattern Predicts Explosive 3000% Surge To $15
English Bulldog Puppies For Sale Under 1000 In Florida
Katie Pavlich Bikini Photos
Gamevault Agent
Pieology Nutrition Calculator Mobile
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Compare the Samsung Galaxy S24 - 256GB - Cobalt Violet vs Apple iPhone 16 Pro - 128GB - Desert Titanium | AT&T
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Craigslist Dog Kennels For Sale
Things To Do In Atlanta Tomorrow Night
Non Sequitur
Crossword Nexus Solver
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Energy Healing Conference Utah
Geometry Review Quiz 5 Answer Key
Hobby Stores Near Me Now
Icivics The Electoral Process Answer Key
Allybearloves
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Pearson Correlation Coefficient
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Marquette Gas Prices
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Vera Bradley Factory Outlet Sunbury Products
Pixel Combat Unblocked
Movies - EPIC Theatres
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Mia Malkova Bio, Net Worth, Age & More - Magzica
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Where Can I Cash A Huntington National Bank Check
Topos De Bolos Engraçados
Sand Castle Parents Guide
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Hello – Cornerstone Chapel
Stoughton Commuter Rail Schedule
Nfsd Web Portal
Selly Medaline
Latest Posts
What to Do When Homeschooling is Hard - Classical Conversations
Do Inquiries for Pre-Approved Offers Affect Your Credit Score?
Article information

Author: Melvina Ondricka

Last Updated:

Views: 5934

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.