Lately we've been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. OneDrive by Microsoft is a cloud service for hosting and sharing files. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector, but are overwhelmed by the number of options.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Citrix ShareFile
- Google Drive
- Google Forms
- Google Hangouts
- Microsoft 365
The goal of this post is to determine if Microsoft OneDrive offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
OneDrive is a file-hosting service operated by Microsoft as part of its suite of online cloud services. It allows users to store files as well as other personal data like Windows settings or BitLocker recovery keys in the cloud. Files can be synced to a PC and accessed from a web browser or a mobile device, as well as shared publicly or with specific people.
Microsoft OneDrive and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy. We checked the Microsoft Trust Center and found a page called HIPAA and the HITECH Act. In it, Microsoft wisely points out: “Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.” Since OneDrive is often bundled into Microsoft 365, we found a pdf doc called Microsoft 365 Compliance Framework for Industry Standards and Regulations that offered deeper insight into OneDrive and its capabilities for HIPAA compliance. The document specifically states that OneDrive for Business can be HIPAA compliant while OneDrive consumer cloud storage is not HIPAA compliant.
Does Microsoft OneDrive offer HIPAA compliant service?
The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate. Since Microsoft offers one specifically for OneDrive for Business, we conclude it is in fact a HIPAA compliant solution. Conclusion: OneDrive for Business is HIPAA Compliant and adheres to regulatory compliance for healthcare providers and healthcare organizations. OneDrive consumer cloud storage however, is not covered by Microsoft's BAA. Make sure you sign a BAA with Microsoft before using OneDrive for Business to store or transmit any PHI.