Like most HIPAA-related questions about software systems and services, the answer to is OneDrive HIPAA compliant is that it can be. This is because, in order to make OneDrive HIPAA compliant, covered entities and business associates have to subscribe to a Microsoft plan that includes the capabilities to support HIPAA compliance and configure the capabilities to comply with HIPAA.
OneDrive is a file hosting system included in most Microsoft plans or available as a standalone subscription. The system enables users to store, share, and synchronize files so they can be accessed from any Internet-connected device. It also automatically backs up filed documents, images, and videos so they can be easily recovered and restored in the event of a malware or ransomware attack.
Most HIPAA covered entities and business associates that subscribe to a Microsoft Business Plan have OneDrive included in the app package by default. However, before using OneDrive to store, share, or synchronize files that contain electronic Protected Health Information (ePHI), it is necessary to ensure the system complies with HIPAA; and, if not, make OneDrive HIPAA compliant.
How to Make OneDrive HIPAA Compliant
The first step for making OneDrive HIPAA compliant is to ensure any existing plan(s) includes the controls required to comply with the standards and implementation specifications of the Security Rule. For example, not all plans include identity and access management tools and audit logs. If a plan lacks the necessary control, it may be necessary to purchase the control as an add-on.
Thereafter, the controls need to be configured correctly to make OneDrive HIPAA compliant. Depending on the nature of an organization’s activities, this may be as simple as activating ATP controls and idle session timeouts. Organizations with more complex environments should take advantage of the Microsoft Purview service to set up OneDrive access controls and policies.
The next step for making OneDrive HIPAA compliant is to ensure all members of the workforce receive training on how to use OneDrive and any apps which access OneDrive compliantly. This does not necessarily require a special “OneDrive training session”, as how to use software systems and services in compliance with HIPAA should be part of an ongoing cybersecurity training program.
OneDrive Business Associate Agreement
The final thing required to make OneDrive HIPAA compliant is a Business Associate Agreement. Microsoft does not sign customers’ Business Associate Agreements. Instead covered entities and business associates are automatically covered by Microsoft’s “one-size-fits-all” Business Associate Agreement when subscribing to a qualifying business plan or the Microsoft Cloud for Healthcare.
While the automatic coverage for all “in-scope services” (including OneDrive) eliminates having to ensure a Business Associate Agreement is in place before using OneDrive to store, share, and synchronize files, it is important that Covered Entities and Business Associates read the terms of the Business Associate Agreement to understand the limit of Microsoft’s compliance obligations.
The limit of Microsoft’s compliance obligations is not going to affect many covered entities and business associates. However, if you have concerns about the terms of the Business Associate Agreement – or about how to configure OneDrive’s controls to make OneDrive HIPAA compliant – it is advisable to seek professional compliance advice.