There is certainly no issue with HIPAA-covered entities implementing OneDrive. Microsoft allows HIPAA-compliance and many of its cloud based utilities, including OneDrive, can be implemented without violating HIPAA Rules.
Even so, before OneDrive – or any cloud service – can be used to establish, manage or share files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and complete a HIPAA-compliant business associate agreement (BAA) prior to the first use.
Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms.
- The BAA includes:
- OneDrive for Business
- Azure Government
- Cloud App Security
- Dynamics 365
- Office 365
- Microsoft Flow
- Intune Online Services
- Power BI
- Visual Studio Team Services
Under the terms and conditions of its business associate agreement, Microsoft will place limits on use and disclosure of ePHI, establish safeguards to prevent inappropriate use, report to consumers and provide access to PHI, on request, per the HIPAA Privacy Rule. Microsoft will also ensure that if any subcontractors are used, they will adhere with these – or more stringent – restrictions and conditions with respect to PHI.
Once the BAA is signed prior to the first use of OneDrive for creating, storing, or sharing PHI, the service can be used without breaking HIPAA Rules.
Microsoft states that all appropriate security controls are incorporated in OneDrive, and while HIPAA compliance certification has not been obtained, all of the services and software covered by the BAA have been independently reviewed and audited for the Microsoft ISO/IEC 27001 certification.
Proper security controls are included to satisfy the requirements of the HIPAA Security Rule, such as the encryption of data at rest and in transit to HIPAA standards. Microsoft uses 256-bit AES encryption and SSl/TLS connections are developed using 2048-bit keys.
However, just because Microsoft will agree to providing and completing a BAA, it does not mean OneDrive is HIPAA compliant. There is a lot more to compliance than using a specific software or cloud service. Microsoft supports HIPAA compliance, but HIPAA compliance will only be in place if the users implement it in line with HIPAA rules. As Microsoft says, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
Before the first use of any cloud service, a HIPAA-covered entity must finish a risk analysis and assess the vendor’s provisions and policies. A risk management program must also be created using policies, procedures, and technologies to ensure risks are addressed.
Access policies must be established and security settings configured properly. Strong passwords should be put in place, external file sharing should be switched off properly, access should be limited to trusted whitelisted networks, and PHI must only be shared with individuals authorized to view the information. When PHI is shared, the minimum required standard applies. Logging should be switched on to ensure organizations can see what users are doing with respect to PHI, and when employees no longer need access to OneDrive, such as when they leave the group, access should be terminated at once.