Does OneDrive enable HIPAA compliance?

As the world becomes more digital, organizations are moving away from traditional data storage methods and toward their digital counterparts. This leads to increased efficiency and easier information transfer, and it saves time. But moving from paper files to digital storage can be a huge hassle.

One of the biggest challenges is complying with the mountains of legal requirements for handling patient information. HIPAA requirements are strict in order to protect both your organization and your patients’ privacy. Let’s consider one popular digital storage solution: OneDrive. Does OneDrive enable HIPAA compliance?

OneDrive can be used in a HIPAA-friendly way if the organization takes the proper steps. Microsoft breaks down the process for HIPAA compliance into four main steps: 

  • Evaluate the proposed solution. 
  • Enter a business associate agreement. 
  • Use access control for better security.
  • Establish procedures for HIPAA compliance.

Let’s review what each of these means and how they’ll help you use OneDrive and stay HIPAA-friendly.

Evaluate whether OneDrive is the right solution for you

Choosing the right technology solution is about more than just selecting a major player. It’s crucial to consider your organization’s technology needs. For example, does your organization need only a HIPAA cloud storage solution, or does it also need forms that can be used for data that is covered by HIPAA? The right solution will largely depend on the problem you’re trying to solve for your organization.

Other considerations include security and privacy practices as well as usability. Does OneDrive help you with compliance when used alongside your current technology? Do your employees know how to use it? You can resolve some concerns with additional training, while others may mean that the solution is incompatible with your systems.

If the software solution you’ve evaluated is compatible with your organization’s needs, you can move on to the next step, the business associate agreement (BAA). 

Review the business associate agreement

A business associate agreement can be an essential part of achieving HIPAA compliance when using software solutions. This agreement states how the parties handling the electronic protected health information (ePHI) will adhere to HIPAA.

How does this protect your organization? The BAA legally obligates both parties to handle ePHI in a compliant manner. This avoids mishaps that could open you up to patient complaints or worse, a lawsuit. 

Use access control to keep information from falling into the wrong hands

When there’s a physical risk in your workplace, like a trip hazard, would you prefer to put up a warning sign or simply eliminate the hazard? Completely eliminating the hazard will provide the highest degree of safety. Similarly, when ensuring your team wants to act in a HIPAA-friendly manner, the simplest solution is to eliminate unnecessary risk. This can be partially achieved with access control.

You can control access by instituting physical or digital constraints on the information people can access. Does a nurse need access to patients in every department? Restricting access by dep artment, provider, or another factor eliminates risk. Setting up access control on your software can help.

Microsoft’s HIPAA-implementation guidance instructions list the following requirements:

  • Turn on Exchange Administrator Access Tracking so you’ll know when your administrators have accessed user accounts.
  • Turn off Microsoft Dynamics CRM Online for supported devices.
  • Periodically request and review access control reports for data repositories where you store ePHI training.
    • Administrator training: Train your administrators not to put ePHI in an address book, directory, or global address list, nor to provide or allow access to ePHI during support services or troubleshooting with Microsoft. 
    • User training: Train your users not to put ePHI in email headers, filenames, or public SharePoint sites. Make sure users understand not to email ePHI to individuals who don’t have the right to view that ePHI.

These requirements are specific to Microsoft’s products. You’ll have to do your homework if you’re planning to use a different solution. While these safeguards are a great start, staying HIPAA-friendly requires total team support. If you don’t have the right access controls and security processes in place, no software can make you compliant.

Establish procedures to stay HIPAA-friendly

Microsoft recommends that you put procedures in place to manage access control and deal with personnel changes.

With access control, you can review who is modifying user accounts and passwords or adding themselves to shared resources. This will help you manage risk and prevent potential security breaches.

It’s also critical that you have procedures in place for staff changes. When someone leaves your organization, you should remove any access they have to PHI. You’ll also need to update Microsoft with your HIPAA administrative contact at

By evaluating the software solution, considering a BAA, restricting access, and establishing proper security procedures, you’ll ensure your organization is ready to use OneDrive in a compliant manner.

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Podo Comment Be the first to comment.