Is OneDrive HIPAA compliant?

As the world becomes more digital, organizations are moving away from traditional data storage methods and toward their digital counterparts. This leads to increased efficiency and easier information transfer, and it saves time. But moving from paper files to digital storage can be a huge hassle.

One of the biggest challenges is complying with the mountains of legal requirements for handling patient information. HIPAA requirements are strict in order to protect both your organization and your patients’ privacy. Let’s consider one popular digital storage solution: OneDrive. Is OneDrive HIPAA compliant?

The short answer is yes. OneDrive can be HIPAA compliant if the organization takes the proper steps. Microsoft breaks down the process for HIPAA compliance into four main steps: 

  • Evaluate the proposed solution. 
  • Enter a business associate agreement. 
  • Use access control for better security.
  • Establish procedures for HIPAA compliance.

Let’s review what each of these means and how they’ll help you use OneDrive and stay HIPAA compliant.

Evaluate whether OneDrive is the right solution for you

Choosing the right technology solution is about more than just selecting a major player. It’s crucial to consider your organization’s technology needs. For example, does your organization need only a HIPAA-compliant cloud storage solution, or does it also need HIPAA-compliant forms? The right solution will largely depend on the problem you’re trying to solve for your organization.

Other considerations include security and privacy practices as well as usability. Does OneDrive remain compliant when used alongside your current technology? Do your employees know how to use it? You can resolve some concerns with additional training, while others may mean that the solution is incompatible with your systems.

If the software solution you’ve evaluated is compatible with your organization’s needs, you can move on to the next step, the business associate agreement (BAA). 

Review the business associate agreement

The business associate agreement is an essential part of making any software solution HIPAA compliant. This agreement states how the parties handling the electronic protected health information (ePHI) will adhere to HIPAA. Without a signed BAA agreement, no technology solution can be considered HIPAA compliant.

How does this protect your organization? The BAA legally obligates both parties to handle ePHI in a compliant manner. This avoids mishaps that could open you up to patient complaints or worse, a lawsuit. 

Use access control to keep information from falling into the wrong hands

When there’s a physical risk in your workplace, like a trip hazard, would you prefer to put up a warning sign or simply eliminate the hazard? Completely eliminating the hazard will provide the highest degree of safety. Similarly, when ensuring your team acts in a HIPAA-compliant manner, the simplest solution is to eliminate unnecessary risk. This can be done with access control.

You can control access by instituting physical or digital constraints on the information people can access. Does a nurse need access to patients in every department? Restricting access by dep artment, provider, or another factor eliminates risk. Setting up access control on your software can help.

Microsoft’s HIPAA-implementation guidance instructions list the following requirements:

  • Turn on Exchange Administrator Access Tracking so you’ll know when your administrators have accessed user accounts.
  • Turn off Microsoft Dynamics CRM Online for supported devices.
  • Periodically request and review access control reports for data repositories where you store ePHI training.
    • Administrator training: Train your administrators not to put ePHI in an address book, directory, or global address list, nor to provide or allow access to ePHI during support services or troubleshooting with Microsoft. 
    • User training: Train your users not to put ePHI in email headers, filenames, or public SharePoint sites. Make sure users understand not to email ePHI to individuals who don’t have the right to view that ePHI.

These requirements are specific to Microsoft’s products. You’ll have to do your homework if you’re planning to use a different solution. While these safeguards are a great start, staying HIPAA compliant requires total team support. If you don’t have the right access controls and security processes in place, no software can make you compliant.

Establish procedures to stay HIPAA compliant

Microsoft recommends that you put procedures in place to manage access control and deal with personnel changes.

With access control, you can review who is modifying user accounts and passwords or adding themselves to shared resources. This will help you manage risk and prevent potential security breaches.

It’s also critical that you have procedures in place for staff changes. When someone leaves your organization, you should remove any access they have to PHI. You’ll also need to update Microsoft with your HIPAA administrative contact at

By evaluating the software solution, preparing the BAA, restricting access, and establishing proper security procedures, you’ll ensure your organization is ready to use OneDrive in a compliant manner.

HIPAA-Friendly Online Forms

Organize patient health records with forms that can help you comply with HIPAA.

Learn More
HIPAA-Friendly Online Forms Banner Image
This article is originally published on Oct 08, 2019, and updated on Sep 26, 2023.

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Podo Comment Be the first to comment.