At a Glance: OneDrive & HIPAA Compliance
Is it compliant? Not by default. OneDrive requires an Enterprise-level subscription, a signed Business Associate Agreement (BAA), and specific security configurations to meet U.S. federal standards.
3 Key Requirements:
- Legal: Execute the Microsoft BAA (Enterprise/Business accounts only).
- Technical: Enable MFA and disable public “Anyone with the link” sharing.
- Administrative: Implement strict file-naming conventions and audit logging.
Don’t risk a breach. Schedule a Clarity Call to ensure your team is fully protected.
Protected Health Information (PHI) must be stored and transmitted securely. As technology evolves, most organizations have transitioned to cloud file-sharing services to outsource physical security and leverage cost-effective, scalable storage. For many, Microsoft OneDrive is the solution of choice. But is OneDrive HIPAA compliant out of the box? The short answer is no. While Microsoft provides the secure infrastructure, compliance is a shared responsibility. Microsoft secures the “house,” but you are responsible for locking the doors and windows. Whether you are managing employee benefit enrollment, coordinating patient care, or providing services for Covered Entities, here is your roadmap to ensuring OneDrive meets HIPAA standards.
Step 1: The Foundation – Get the Right BAA
Under HIPAA, any entity handling PHI must have a Business Associate Agreement (BAA) with its service providers (45 CFR 164.504(e)).
- Medical and Dental Practices: Whether a solo practitioner or a large multi-specialty clinic, any cloud storage containing patient charts, x-rays, billing information, or any other type of PHI requires a BAA. Ensure your Microsoft subscription is specifically configured for healthcare prior to migration.
- Health Plans Sponsors and Employers: If you manage a self-insured or level-funded plan or handle FSA/HRA data, you are a Covered Entity. You must ensure your Microsoft subscription includes a BAA.
- Agents and Brokers: Providing services to health plans or providers involving PHI makes you a Business Associate. You need a BAA with Microsoft and with your clients. Learn more about Navigating Business Associate Agreements as an Insurance Agent.
Which Microsoft Plans are Eligible?
Microsoft does not sign BAAs for consumer or personal accounts. To be compliant, you must have an enterprise-level subscription. Eligible plans include:
- Microsoft 365 Business (Basic, Standard, Premium)
- Microsoft 365 Enterprise (E3, E5, F3)
- Office 365 Enterprise (E1, E3, E5)
- Microsoft 365 Government (G3, G5)
How to Get the Microsoft BAA (Step-by-Step)
Microsoft makes the BAA available automatically, but you must know where to find it for your records.
- Sign in to your Microsoft 365 Admin Center with Global Admin credentials.
- Navigate to Billing > Subscriptions.
- View your active subscription details. Microsoft’s BAA is typically included by default in the Online Services Data Protection Addendum (DPA).
- For formal documentation, visit the Microsoft Service Trust Portal. Here, you can download the specific “HIPAA/HITECH Business Associate Agreement.”
Step 2: Implement Technical Safeguards
Once the legal paperwork is signed, you must configure OneDrive to meet the HIPAA Security Rule requirements.Access Control and User Roles
The “Minimum Necessary” rule applies here: employees should only see the PHI required to do their jobs. - Role-Based Access: Limit access so that employees only see information needed to perform their duties.
- Unique User IDs: Shared “Office” logins are a red flag. Every user must have a unique ID for a clear audit trail.
- Multi-Factor Authentication (MFA): This is your strongest defense. Require a second code for every login.
Sharing and Transmission Security
The “Share” button is convenient but a primary source of leaks. - Disable Public Links: Block the ability to create “Anyone with the Link” URLs.
- Expiration Dates: Set shared links to expire automatically (e.g., 7 or 30 days).
- Specific People Only: Ensure files are only accessible to invited email addresses.
Step 3: Administrative Safeguards and the “Human Element”
Even the most secure cloud configuration can’t stop a “human error” breach.
- File Naming Conventions: Train staff to never put PHI (names, SSNs) in file titles.
- Audit Log Reviews: Administrators should review logs via the Microsoft Purview compliance portal.
- Device Management: Mobile access requires encryption and remote wipe capability. See our BYOD guide.
