How To Make Onedrive Hipaa Compliant

OneDrive, a cloud storage solution offered by Microsoft, enables users to save and distribute various files such as documents, photographs, and videos. Nonetheless, if your work is in the healthcare sector and you must adhere to HIPAA standards, you might be curious about the steps required to ensure OneDrive complies with HIPAA regulations.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. It is a federal law that was enacted in 1996 to protect the privacy of individuals’ health information. HIPAA regulations apply to any organization that deals with protected health information (PHI), including healthcare providers, health plans, and healthcare clearinghouses.

Why is OneDrive not HIPAA Compliant by Default?

OneDrive is a consumer-grade cloud storage service that is not designed to meet the strict security requirements of HIPAA. While Microsoft has implemented some security measures, such as encryption and two-factor authentication, these are not enough to make OneDrive HIPAA compliant by default.

How to Make OneDrive HIPAA Compliant

To make OneDrive HIPAA compliant, you need to take some additional steps. Here are the steps you can follow:

  1. Sign up for a Business or Enterprise account: OneDrive for Business and OneDrive for Enterprise are designed to meet the security requirements of HIPAA. These accounts offer advanced security features, such as audit logs and data loss prevention policies.
  2. Implement access controls: You need to implement access controls to ensure that only authorized users can access PHI stored in OneDrive. This includes setting up user roles and permissions, as well as implementing two-factor authentication.
  3. Encrypt data at rest and in transit: You need to encrypt all PHI stored in OneDrive, both at rest and in transit. This will help protect your data from unauthorized access or theft.
  4. Implement audit logs: You need to implement audit logs to track all access to PHI stored in OneDrive. This will help you identify any unauthorized access and take appropriate action.
  5. Train your staff: Finally, you need to train your staff on HIPAA regulations and how to use OneDrive securely. This includes educating them on the importance of protecting PHI and how to avoid common security risks.


In conclusion, making OneDrive HIPAA compliant requires some additional steps beyond what is provided by the consumer-grade version. By signing up for a Business or Enterprise account, implementing access controls, encrypting data, implementing audit logs, and training your staff, you can ensure that your organization meets the strict security requirements of HIPAA.