HIPAA Business Associates Agreements
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare entities to have signed business associate agreements (BAAs) with all of their vendors before sharing PHI. Vendors that are not willing to sign a BAA cannot be used. Microsoft has a BAA available for users to sign through their Online Services Terms. Microsoft’s BAA covers OneDrive for Business, Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.
Do you have signed business associate agreements? If not you’re at risk! Learn more about Microsoft business associate agreements here.
OneDrive HIPAA Compliant Offerings
When used properly, yes OneDrive is HIPAA compliant. Before using OneDrive, HIPAA beholden entities must conduct a security risk assessment (SRA) to evaluate the software, and identify any gaps in security. Based on the SRA, organizations must create policies and procedures on the proper use of OneDrive, and train employees on how to use the software in a HIPAA compliant manner.
Although Microsoft supports HIPAA compliance, when using any software, HIPAA compliance is dependent on the end user; it is important to implement access controls to use OneDrive while maintaining HIPAA compliance. HIPAA requires organizations to adhere to the ”minimum necessary” standard when accessing patient information. This means that only the PHI necessary to perform a job function should be accessed. As such, employees should be given unique login credentials to designate different levels of access based on their job roles.
To ensure that employees are accessing PHI responsibly, access logs should be kept. Access logs are used to track access to sensitive data, noting who accesses what and for how long. Continuously monitoring access allows access patterns to be established for each user. This enables administrators to quickly identify insider breaches. Lastly, when employees leave the organization, or change job roles within their organization, access levels must be adjusted to prevent unauthorized access to PHI.
Is OneDrive HIPAA Compliant?
Provided users have a signed BAA, implement access controls, and keep access logs, OneDrive is HIPAA compliant.