No, Microsoft 365’s OneDrive Is Not HIPAA-Compliant

So you’re a savvy business manager for a medical practice in Vancouver, WA.

Let’s talk about something not-so-fun but super-important: HIPAA compliance with OneDrive. Yes, you want your files available to you, but you also want your Electronic Protected Health Information (ePHI) to be safe and secure, right? In accordance with the Security Ruling?

Here’s the lowdown.

1. OneDrive Can Be HIPAA-Compliant. It Starts with Licensing.

Using OneDrive out of the box is not HIPAA-compliant, and it is certainly not compliant with a Personal Microsoft Account. The road to compliance begins with the right licensing. If you’re looking for HIPAA compliance with OneDrive, you must be using a Microsoft 365 Business Premium or E1, E3, or E5 Plans.

That’s the beginning point: are you using an enterprise-level M365 product? If not, it’s against Microsoft’s T&Cs to store classified forms of information in OneDrive; you shouldn’t be using it for this purpose. Without an enterprise-level plan and proper configuration, you’re not covered, and storing PHI in OneDrive would violate Microsoft’s terms and HIPAA’s Security Ruling requirements.

2. You’ll Need a Business Associate Agreement (BAA).

The Security Ruling requires a Business Associate Agreement (BAA) with any third party handling PHI, including Microsoft. Good news: Microsoft automatically provides a BAA for those enterprise-level plans. Here’s how to check on the BAA status:

How to Check the BAA Status of Your Organization

1. Sign in to the Microsoft 365 admin center with your Global Administrator credentials.

2. Go to Billing > Subscriptions.

3. Find your M365 subscription and click on it.

4. Look for the section titled Optional Privacy and Security Contractual Supplements.

5. Within that section, locate the Office 365 and CRM Online HIPAA/HITECH Business Associate Agreement.

6. If the BAA is available, the system will allow you to accept it, or it will indicate that it is already included with your subscription.

3. What Does the BAA Cover?

Microsoft’s BAA is the legal contract that allows covered entities (such as your healthcare clinic or practice) to use Microsoft cloud services with ePHI. Here’s what the Microsoft BAA covers:

Scope of Services. The BAA applies to certain Microsoft 365/Office 365, Azure, Dynamics 365, and OneDrive for Business/SharePoint Online services that are classified as “in-scope” for HIPAA. Only those services listed in Microsoft’s HIPAA/HITECH offering are covered — using non-covered Microsoft products with PHI could put you out of compliance. Example:

1. Microsoft 365/Office 365. This includes services like Outlook, Teams, SharePoint, and OneDrive when used within a qualifying environment.

2. Microsoft Azure: Various Azure services, such as App Service, Azure Active Directory, and Azure Resource Manager, are covered.

3. Microsoft Dynamics 365: Core Dynamics 365 services are included in the BAA.

4. Microsoft Power Platform: Services like Power BI, Power Apps, and Power Automate can be covered.

5. Microsoft Intune: Intune online services are also covered by the BAA.

Security Safeguards. Microsoft agrees to implement administrative, physical, and technical safeguards to protect PHI that align with the Security Ruling:

1. Data encryption (at rest and in transit)

2. Access controls

3. Data segregation

4. Audit logging

Use and Disclosure of PHI. Upon executing the BAA, Microsoft commits to:

1. Using PHI only to provide the contracted services (not for advertising or unrelated purposes).

2. Not disclosing PHI unless required by law or explicitly permitted by the BAA.

Breach Notification. Microsoft must:

1. Notify you without unreasonable delay if they discover a security breach or unauthorized disclosure of PHI.

2. Provide details to meet your HIPAA Breach Notification Rule obligations.

Subcontractors. If Microsoft uses subcontractors (for hosting, support, etc.), Microsoft must ensure those subcontractors also comply with HIPAA safeguards and obligations.

Customer Responsibilities. This part is crucial. The BAA doesn’t make you “automatically compliant.” You’re still responsible for:

1. Configuring security settings (e.g., MFA, audit logs, DLP).

2. Training your staff on HIPAA policies.

3. Running HIPAA risk assessments.

4. Ensuring you only store PHI in covered services.
   

3. Volume Encryption.

But we’re not done yet. The volume OneDrive writes to on your PC or Mac must be encrypted, typically using either Microsoft’s BitLocker or Apple’s FileVault. You should have asset control records demonstrating the encrypted state of these machines.

4. Access Control.

Machines that use and access ePHI must have strong access controls (passwords, biometrics, etc.) enabled in the operating system. The Microsoft accounts used to access OneDrive should be protected using 2FA/MFA.

5. Monitoring.

One of the core tenets of the Security Ruling is endpoint monitoring. You must be aware of the state of devices (PCs, Macs, phones, tablets) accessing ePHI at all times, including their operating system patching, encryption status, antivirus status, overall mechanical health, and fitness for purpose.

6. Do a HIPAA Risk Assessment.

HIPAA compliance isn’t just about filling lists of checkboxes — it’s about understanding and responding to risks. A proper risk assessment helps you match Microsoft’s plans and add-ons to your needs. Without it, you might end up under‑protected or paying for licensing and Technical Controls you don’t need. Understanding where you are in your compliance journey is essential to know how much further you need to go.

7. Configure Security Settings Thoughtfully.

Here’s where things get hands-on. Depending on your Microsoft plan, you may need to enable or add Technical Controls like:

• Identity rules and permissions.

• Audit logging to monitor who’s doing what and when.

• MDM (Mobile Device Management) and EPM (Endpoint Management)

• Policies for data loss prevention (DLP), session timeouts, and sharing restrictions

8. Training.

You can have the bulletproof tech setup with strong Technical Controls, but if your people don’t know how to use it right, you’re still at risk. Training should cover how to save files correctly, avoid disclosing PHI in file names or links, and be aware of what not to do. Annual training for your staff is a requirement of the Security Ruling anyway.

9. Written Policies & Procedures.

HIPAA requires Administrative Controls (written policies and procedures) that govern how these safeguards work to protect ePHI. If no written material exists, how could you verify management intention against actual practice? Policies and procedures are the administrative framework necessary to communicate management’s expectations and reconcile those expectations against actual practice.

10. Audits and Corrective Action.

It’s essential to introduce audits to identify and address compliance gaps. Those resolutions should be captured as corrective actions, and these activities demonstrate “Due Care” — a legal requirement to demonstrate competency and avoid accusations of negligence.

Have more questions? I’ve got answers.

R