Is OneDrive HIPAA Compliant?

With the advent of the cloud and its absolute ubiquity in both consumer and professional applications, a large swath of the healthcare industry are asking themselves whether OneDrive, Microsoft’s cloud storage offering, is HIPAA compliant.

As many businesses, including businesses and organizations in the healthcare space, are already regularly using Microsoft products and software such as Windows operating systems, Outlook email, and Microsoft’s Office suite, they trust Microsoft’s services. This makes Microsoft’s cloud storage option even more attractive to use. The integrated functionality that can allow OneDrive to be accessible and integrated to Windows devices and Microsoft email programmes is another reason why OneDrive is attractive to companies.

Microsoft has already demonstrated it can provide HIPAA compliant products

As well as the more general technical advantages that are mentioned above, an incredibly important aspect that would encourage HIPAA covered entities to look towards Microsoft to provide their cloud storage service is the fact that Microsoft have already demonstrated their capability to build and maintain services which comply with all applicable HIPAA regulations. This track record may put Microsoft ahead of other vendors in the minds of customers and companies.

Critical to the HIPAA compliance of third party services and their providers is the implementation of a HIPAA ready business associate agreement (BAA) between the covered entity and the chosen service vendor. Microsoft showed quite early on that they were willing to enter into such agreements with HIPAA covered entities for their cloud services, as well as many of their other products such as Office 365.

Included in the BAA are elements concerning how data is to be protected and stored, as well as provisions to allow for information to be accessed and copied as required by the HIPAA Privacy Rule. Microsoft further agree to only employ the use of subcontractors if these businesses also agree to the same or stricter standards. In doing so, some of the necessary elements to ensuring the privacy of patient records and Protected Health Information (PHI) can be maintained.

Microsoft state that OneDrive includes all the necessary features to meet the requirements of the HIPAA Security Rule and includes options that can be used to meet or surpass other HIPAA standards.

Ensuring HIPAA compliance means more than just using “HIPAA compliant” services

While a healthcare facility or other HIPAA covered entity may have put their BAA with Microsoft in place and may want to start using OneDrive right away, HIPAA compliance is not as simple as merely making use of services and products that offer “HIPAA compliance”.

An important aspect which cannot be overlooked is to make sure that all the correct settings and options have been configured or put in place before any ePHI is used in conjunction with the product or service. Indeed, when it comes to HIPAA compliance, “the devil is in the details”. The most challenging step of introducing a new tool to the company may be the difficulty or navigating a new system and checking that the necessary options are activated.

To summarize, Microsoft’s OneDrive can be used in compliance with HIPAA, but it is highly dependent on how it is configured and how it is eventually used by staff.