Can I use OneDrive and be HIPAA compliant?

Featured image

Share this article

Can I use OneDrive and be HIPAA Compliant? - Paubox

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. OneDrive by Microsoft is a cloud service for hosting and sharing files.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector, but are overwhelmed by the number of options.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The goal of this post is to determine if Microsoft OneDrive offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About OneDrive

OneDrive is a file-hosting service operated by Microsoft as part of its suite of online cloud services.

It allows users to store files as well as other personal data like Windows settings or BitLocker recovery keys in the cloud. Files can be synced to a PC and accessed from a web browser or a mobile device, as well as shared publicly or with specific people.

Microsoft OneDrive and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.

We checked the Microsoft Trust Center and found a page called HIPAA and the HITECH Act.

In it, Microsoft wisely points out:

“Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.”

Since OneDrive is often bundled into Microsoft 365, we found a pdf doc called Microsoft 365 Compliance Framework for Industry Standards and Regulations that offered deeper insight into OneDrive and its capabilities for HIPAA compliance.

The document specifically states that OneDrive for Business can be HIPAA compliant while OneDrive consumer cloud storage is not HIPAA compliant.

Does Microsoft OneDrive offer HIPAA compliant service?

The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate.

Since Microsoft offers one specifically for OneDrive for Business, we conclude it is in fact a HIPAA compliant solution.

Conclusion: OneDrive for Business is HIPAA Compliant and adheres to regulatory compliance for healthcare providers and healthcare organizations.

OneDrive consumer cloud storage however, is not covered by Microsoft’s BAA.

Make sure you sign a BAA with Microsoft before using OneDrive for Business to store or transmit any PHI.

 

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022