These days cloud services like Onenote, SharePoint, Dropbox, MS 365 are quite popular. And among them Microsoft’s OneDrive is one of them. So here we will talk about and see, Is onedrive hipaa compliant without violating the business rules?
Let’s figure out regarding this with all facts below. We have researched a lot, read the Hippa official docs and finally we can reveal the truth about it. So if you would like to know, keep reading.
Onedrive Hipaa Compliant- An Overview
There are many covered companies that are interested in utilising cloud storage services, but is it possible to use Microsoft OneDrive? Is HIPAA compliance met by OneDrive for Business?
Microsoft Office 365 Business Essentials, which includes Exchange Online as an email client, is already being used by a large number of healthcare businesses. OneDrive Online is a user-friendly platform that enables users to store and share files, and it is included in the Office 365 Business Essentials package.
Is Onedrive Hipaa compliant?
Using OneDrive by HIPAA-covered organisations shouldn’t cause any problems, as that is perfectly acceptable. Microsoft is committed to maintaining HIPAA compliance, and the company’s many cloud services, such as OneDrive, can be utilised without infringing on HIPAA regulations.
Having said that, in order for HIPAA-covered entities to be able to use OneDrive or any other cloud service to create, store, or send files that contain the electronic protected health information of patients, the HIPAA-covered entity must first obtain and sign a business associate agreement that is compliant with HIPAA (BAA).
Microsoft was one of the first cloud service providers to agree to sign a Business Associate Agreement (BAA) with HIPAA-covered companies, and it now offers a BAA as part of its Online Services Terms. OneDrive for Business, in addition to Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services, are all included in the BAA.
You can check below given reference links for more details:
Reference link for OneDrive: https://www.microsoft.com/en-us/microsoft-365/blog/wp-content/uploads/sites/2/2019/04/HIPAA-Compliance-Microsoft-Office-365-and-Microsoft-Teams.pdf
Reference link for BAA for OneDrive: https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=52&Language=1
Onedrive Hipaa compliant with Business
Microsoft has agreed, as part of the stipulations of its business associate agreement, to place restrictions on the use and disclosure of electronic protected health information (ePHI), put in place safeguards to prevent inappropriate use, report to consumers, and provide access to PHI, upon request, in accordance with the HIPAA Privacy Rule.
Microsoft will also make certain that any subcontractors who are hired will adhere to the same limits and criteria regarding PHI, if not those that are more restrictive. This is something that Microsoft will assure.
If the Business Associate Agreement (BAA) is signed before any protected health information (PHI) is created, stored, or shared using OneDrive, then the service can be utilised without breaking the HIPAA Rules.
OneDrive, according to Microsoft’s explanation, contains all of the appropriate security controls. Furthermore, even though HIPAA compliance certification has not been obtained, all of the services and software that are covered by the BAA have been independently audited for the Microsoft ISO/IEC 27001 certification.
In order to fulfil the requirements of the HIPAA Security Rule, appropriate security controls have been incorporated. These controls include the encryption of data both while it is stored and while it is in transit in accordance with HIPAA standards. Encryption at Microsoft is done with 256-bit AES, and SSl/TLS connections are established using keys that are 2048 bits long.
Using services that are labelled as “HIPAA-compliant” is not the only requirement for HIPAA compliance.
OneDrive is not HIPAA compliant, despite the fact that Microsoft is willing to sign a Business Associate Agreement (BAA). Compliance is more than simply utilising a certain piece of software or online service. Compliance with HIPAA is not guaranteed by Microsoft; rather, it is dependent on the activities of individual users. According to Microsoft, “Your company is responsible for ensuring that you have a proper compliance policy and internal processes in place, and that your particular usage of Microsoft services fits with HIPAA and the HITECH Act.” This information can be found on the Microsoft website.
A HIPAA-covered entity is required to perform a risk assessment and evaluate the provisions and policies of the vendor before using any cloud service. This must be done before the entity can utilise any cloud service. In addition to this, you will need to design a programme for risk management that will make use of policies, processes, and technologies to ensure that risks are reduced.
Access policies need to be defined, and security settings should be adjusted appropriately. Access to protected health information (PHI) should only be shared with those who are authorised to view the information, and strong passwords should be used. External file sharing should also be blocked, and access should be restricted to trusted whitelisted networks.
When personal health information is exchanged, only the barest minimum of security precautions are observed. When employees no longer require access to OneDrive, such as when they leave the organisation, access should be terminated immediately. Logging should be enabled to ensure that organisations have visibility into what users are doing with respect to PHI, and logging should be enabled when employees leave the organisation.
So, does HIPAA regulation apply to OneDrive? Both yes and no OneDrive can be utilised without breaking any of the HIPAA Rules, and Microsoft does its best to ensure HIPAA compliance. However, HIPAA compliance is ultimately the responsibility of the covered entity, including how the service is configured and how it is utilised.