OneDrive for Business can be HIPAA compliant, but the personal (free or consumer) version of OneDrive cannot. Microsoft signs a Business Associate Agreement covering OneDrive for Business as part of its Microsoft 365 suite, which is a legal requirement before any cloud service can handle protected health information. However, signing that agreement is only the starting point. HIPAA compliance with OneDrive depends heavily on how your organization configures and manages the platform.
Personal OneDrive vs. OneDrive for Business
This distinction is the single most important thing to understand. Microsoft offers OneDrive in two forms: a consumer product tied to personal Microsoft accounts, and an enterprise product (OneDrive for Business) included with Microsoft 365 subscriptions. Microsoft’s Business Associate Agreement only covers OneDrive for Business. If you or your staff are storing patient records, insurance documents, or any other protected health information on a personal OneDrive account, no BAA applies and you have no HIPAA coverage.
This is a common and easy mistake to make, especially in smaller practices where employees may sign into a personal Microsoft account out of habit. Organizations handling health data should ensure that personal OneDrive accounts are blocked or clearly separated from work environments.
How the Business Associate Agreement Works
Under HIPAA, any third-party service that stores or processes protected health information on behalf of a healthcare organization must sign a Business Associate Agreement. Microsoft’s BAA is automatically incorporated when you execute a license agreement that includes the Online Services Terms. You don’t need to negotiate a custom contract. The BAA covers a range of Microsoft 365 services including Exchange Online, SharePoint Online, and OneDrive for Business.
Once the BAA is in place, Microsoft is required to notify your organization at a designated contact address ([email protected] is the channel for updates) if a breach involving your data occurs. Your organization is responsible for keeping that contact information current.
Encryption and Security Infrastructure
Microsoft’s technical protections for OneDrive for Business meet the encryption standards that HIPAA’s Security Rule expects. Data moving between your devices and OneDrive is protected by TLS connections using 2048-bit keys. Files stored on Microsoft’s servers are encrypted with AES 256-bit encryption, which meets the federal FIPS 140-2 standard. These protections apply automatically to all files in OneDrive for Business.
Microsoft’s services covered under the BAA also undergo independent audits for ISO/IEC 27001 certification and HITRUST Common Security Framework certification. Audit reports are available through Microsoft’s Service Trust Portal, which can be useful if your compliance team needs documentation for risk assessments.
What Microsoft Handles vs. What You Handle
Microsoft operates under a shared responsibility model, and understanding the split is critical. Microsoft secures the physical data centers, the underlying network, and the operating systems that run OneDrive. Your organization is responsible for nearly everything else that determines whether your setup is actually HIPAA compliant.
Specifically, you own responsibility for:
- Data classification and protection: deciding which files contain protected health information and ensuring they’re stored appropriately
- User accounts: creating, managing, and removing access for employees and contractors
- Access controls: setting up multi-factor authentication, role-based permissions, and conditional access policies
- Endpoint security: protecting the laptops, phones, and desktops that connect to OneDrive
- Configuration and settings: adjusting sharing, permissions, and security settings within the admin console
A signed BAA with strong encryption means nothing if an employee can share a folder of patient records with anyone who has a link. The configuration layer is where most HIPAA violations with cloud storage actually happen.
Sharing Settings That Need Attention
OneDrive for Business inherits its external sharing settings from SharePoint, and the defaults are permissive. Out of the box, the sharing level for both SharePoint and OneDrive is set to “Anyone,” meaning users can generate links that let anyone access files without signing in. For a HIPAA-covered organization, this is a serious risk.
Administrators should review and restrict sharing to one of the tighter options. The available levels, from most open to most restrictive, are:
- Anyone: unauthenticated link sharing (not appropriate for protected health information)
- New and existing guests: requires recipients to verify their identity through a work, school, or Microsoft account
- Existing guests: limits sharing to people already in your organization’s directory
- Only people in your organization: disables external sharing entirely
For environments handling health data, most compliance officers recommend either disabling external sharing entirely or restricting it to existing, verified guests. If some external sharing is necessary for business reasons, additional controls can help: you can limit sharing to specific domains (up to 5,000), restrict sharing permissions to view-only, set expiration dates on shared links, require guest access to expire after a set number of days, and limit external sharing to members of specific security groups. Each of these settings is configurable in the SharePoint admin center and applies to OneDrive for Business.
Audit Logs and Monitoring
HIPAA requires covered entities to track who accesses protected health information and what they do with it. Microsoft 365 includes audit logging through Microsoft Purview, which records user activity across OneDrive, SharePoint, Exchange, and other services. Logged events include file access, sharing changes, searches, and email actions like forwarding.
For premium audit users, log records for OneDrive, SharePoint, Exchange, and directory activities are retained for one year by default, with 180 days for other activity types. An add-on license extends retention to up to 10 years, which can be useful for organizations that need long-term compliance records. Standard audit logging should be enabled and monitored as part of any HIPAA compliance program using OneDrive.
Making OneDrive HIPAA Compliant in Practice
The short answer to whether OneDrive is HIPAA compliant: it can be, but only with the right version and the right configuration. OneDrive for Business has the technical foundation, the encryption, the audit capabilities, and the BAA. But Microsoft is explicit that HIPAA compliance is a shared obligation. The platform gives you the tools. Whether your deployment is actually compliant depends on whether your organization restricts sharing defaults, enforces multi-factor authentication, manages user access carefully, monitors audit logs, and trains staff to avoid using personal accounts for work involving health data.