Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
Microsoft Office 365 is one of the most popular business suite software platforms in the world, with more than a million customers in the United States and nearly 50% of the total market worldwide. With OneDrive’s cloud storage and collaboration features, Office 365 is a powerful tool for healthcare organizations of every size. Before private practices and hospitals choose this platform for data management, however, it’s critical to know whether OneDrive is HIPAA compliant.
Microsoft OneDrive can comply with HIPAA standards for data security and privacy, but it isn’t automatic. Whether OneDrive is HIPAA compliant depends on a wide range of details, including:
There’s no HIPAA certification, stamp, or seal of approval for software. Meeting HIPAA guidelines depends as much on how your company uses the software as the security capabilities of the tools themselves.
For what it’s worth, Microsoft does hold important independent certifications related to data security practices and the HITRUST Common Security Framework, including the rigorous ISO/IEC 27001 certification. This isn’t the same as HIPAA compliance, but it tells your company that Microsoft follows good cybersecurity practices as a third-party vendor.
To fairly evaluate how well Microsoft OneDrive contributes to HIPAA compliance, it’s important to understand what security and privacy controls HIPAA requires for cloud storage in the first place. Your configuration will always play a key part, but the platform also needs to have certain types of functionality to support the required protections.
The HIPAA Security Rule means that any cloud storage platform that stores protected health information must support the following:
To be HIPAA compliant, not only does your cloud storage platform need to restrict access to keep unauthorized personnel out, but it also needs to provide a way for patients to access PHI securely. Individuals have a right to request copies of their charts, test results, receipts/invoices, and other records.
Overall, OneDrive provides the technology healthcare organizations need to meet HIPAA requirements. To access some of the necessary security features, however, you need a higher subscription tier or specific add-ons.
A cloud storage platform like OneDrive is an excellent choice for implementing data redundancy measures to protect against disasters. OneDrive allows you to set the general location of data storage, and Microsoft operates multiple data centers within the United States for additional resiliency. At a minimum, Microsoft mirrors OneDrive data into two separate geographical areas within the region.
OneDrive uses transport layer security encryption and HTTPS protocols for data in transit. This can help safeguard PHI and other confidential data against man-in-the-middle attacks and other security violations.
OneDrive also encrypts files stored on its cloud servers with AES256 keys. This is important because one of the main pillars of the HIPAA Security Rule is ensuring the confidentiality of electronic PHI through strong encryption policies.
Microsoft engineers who need to access OneDrive cloud servers for maintenance or other tasks must request unique authorization each time. This zero-trust approach follows good cybersecurity hygiene.
Some Microsoft 365 Business Premium and Enterprise plans include advanced threat detection, suspicious activity monitoring, and various types of Windows Defender tools for anti-malware and anti-ransomware protection. That said, the enormous range of Microsoft 365 subscription options requires you to carefully check your organization’s needs before selecting a plan. Microsoft 365 Enterprise plans come in E3, E5, E5 Security, and E5 Compliance variations, and there are even more options for healthcare organizations.
Advanced security features for OneDrive generally require a Microsoft 365 Enterprise E5 account. Some of these monitoring features include:
The level of protection offered and the control you have over security settings depends on your Microsoft 365 subscription. To meet HIPAA requirements, you may need a more expensive subscription, security add-ons, or third-party solutions. Considering that Microsoft 365 E5 costs about $55 per user/month, the necessary features may be cost-prohibitive for large teams.
Microsoft offers a Business Associate Agreement (Data Protection Addendum) that meets general HIPAA requirements, but it refuses to sign agreements that healthcare organizations craft themselves. This can be a sticking point if your operations require special treatment of ePHI or cybersecurity measures that are outside the norm.
One critical detail with OneDrive’s BAA is that Microsoft does not have the capability to respond to patient access requests. It doesn’t store data by patient. Thus, your staff is solely responsible for organizing, finding, and sending the necessary documents within 30 days.
The necessary building blocks of HIPAA compliance are available in 365 Business Premium, Microsoft 365 E5 variations, and dozens of add-ons. The key to ensuring compliance lies in selecting the appropriate level of protection.
Your organization also needs to invest in employee training. OneDrive’s DLP, authentication, access control, and monitoring features are only as secure as the employees using them. For example, saving ePHI in public, non-password-protected, or local (on-device) folders is still a HIPAA violation. The same goes for having multifactor authentication settings available and not implementing them.
HIPAA compliance with OneDrive is primarily a question of performing due diligence, being aware of your organization’s compliance needs, and finding the right combination of Microsoft 365 tools to address those needs. Compyl can help you identify your organizational scope, visualize compliance vulnerabilities, and create automated workflows for OneDrive document storage. See how to set up OneDrive to be HIPAA compliant today.
