Is OneDrive HIPAA Compliant? Yes — On Microsoft 365 + BAA (2026)
OneDrive for Business is covered under the Microsoft 365 BAA on paid commercial plans. Personal OneDrive accounts are not. Configuration determines whether the coverage actually protects you.
Is OneDrive HIPAA Compliant? Yes — On Microsoft 365 + BAA (2026)
OneDrive can be HIPAA compliant — but only OneDrive for Business on a Microsoft 365 commercial plan with a signed Business Associate Agreement (BAA). Personal OneDrive accounts, OneDrive Basic, and consumer Microsoft 365 family/home subscriptions are not HIPAA-eligible. The default settings in even an eligible OneDrive deployment leave gaps that most practices do not close until prompted.
The shape of the problem mirrors the broader Microsoft 365 picture. The BAA is straightforward to obtain on commercial plans. The configuration that follows is where most compliance failures originate.
Here is what is covered, what is not, and how to set up OneDrive for HIPAA-compliant file storage and sharing.
Which OneDrive Plans Are HIPAA-Eligible?
Microsoft signs a single BAA covering Microsoft 365 commercial services, with OneDrive for Business included as one of the covered services. The plan and tenant type matter.
Microsoft 365 Business Basic, Standard, Premium. Eligible for HIPAA workloads under the standard Microsoft 365 BAA. Includes OneDrive for Business at 1 TB per user.
Microsoft 365 Apps for business. Eligible. Includes OneDrive for Business at 1 TB per user.
Microsoft 365 Enterprise (E3, E5, F-series, A-series). Eligible. Includes OneDrive for Business with higher storage limits and additional security features.
OneDrive for Business standalone (Plan 1, Plan 2). Eligible when contracted under a Microsoft 365 commercial agreement with a BAA.
OneDrive Personal, Microsoft 365 Family, Microsoft 365 Personal. Not HIPAA-eligible. Microsoft does not sign BAAs for consumer products. PHI in a personal OneDrive account is uncovered.
OneDrive Basic (free 5 GB). Not HIPAA-eligible.
The practical rule: if the account was created from microsoft.com/onedrive on a personal email address, it is not HIPAA-eligible. If it was created through a Microsoft 365 commercial tenant administered by IT, it is — provided the BAA is in place.
What OneDrive for Business Provides for HIPAA Compliance
OneDrive for Business under a signed Microsoft 365 BAA includes a substantial set of compliance-relevant capabilities, especially on the higher tiers.
Encryption at rest and in transit. Files are encrypted in transit using TLS and at rest using BitLocker plus per-file encryption.
Granular sharing controls. OneDrive supports per-file and per-folder sharing with internal-only, external authenticated, or anonymous link options. Anonymous sharing can be disabled at the tenant level.
Versioning. OneDrive automatically maintains version history, supporting recovery from accidental deletion or ransomware encryption events.
Audit logging. Microsoft 365 audit logs capture file access, sharing changes, downloads, and administrative actions. Logs are retained for 90 days by default and longer on E5 plans or with Audit (Premium).
Conditional access and identity governance. When integrated with Azure AD/Entra ID, OneDrive access can be conditioned on device compliance, location, MFA, and user risk signals.
Sensitivity labels. Microsoft Purview Information Protection allows files to be labeled as sensitive, with automatic encryption, access restrictions, and downstream control even after files leave OneDrive.
Data Loss Prevention (DLP). Higher Microsoft 365 plans support DLP policies that detect PHI patterns in OneDrive files and either block sharing, warn users, or generate alerts.
Retention policies. Microsoft Purview supports retention and deletion policies aligned with HIPAA's documentation requirements.
eDiscovery. Microsoft Purview eDiscovery supports legal hold and forensic review across OneDrive.
What OneDrive Does Not Do
OneDrive provides storage. It does not deliver compliance.
OneDrive does not classify your files for you by default. Without sensitivity labels or DLP policies configured, OneDrive has no awareness of which files contain PHI. The platform cannot enforce stricter controls on files it does not know are sensitive.
OneDrive does not block PHI from going to consumer accounts. Without DLP policies, a user can sync a folder to a personal computer logged into a personal Microsoft account. The PHI then sits on a non-eligible service.
OneDrive does not prevent over-sharing by default. Anonymous link sharing is enabled out of the box on many plans. Users can create public links to PHI-containing files. Tenant-level configuration is required to lock this down.
OneDrive does not perform your risk assessment. A Microsoft 365 BAA covers Microsoft's role. Your risk analysis, training, and policies are owned by your practice.
OneDrive does not extend the BAA to third-party apps. OneDrive integrates with Office add-ins, third-party storage tools, and many SaaS platforms. The BAA does not extend to those vendors.
OneDrive does not stop users from forwarding files. A patient record downloaded to a laptop and emailed elsewhere is no longer in OneDrive's control. Unless sensitivity labels with downstream protection are applied, the data flow is unbounded.
Common Mistakes Practices Make with OneDrive
Storing PHI in personal OneDrive accounts. A clinician with a Microsoft 365 Family subscription stores patient referrals "for convenience." The personal account is not BAA-covered.
Leaving anonymous link sharing enabled tenant-wide. Default settings allow users to create public links. A single patient record shared with a public link is a permanent exposure.
Syncing OneDrive to a personal computer logged into a different Microsoft account. The sync client supports multiple accounts. Files can end up in the wrong place. Without DLP and conditional access, this is undetectable.
Sharing files externally without confirming recipient identity. External sharing with an email address relies on the recipient controlling that mailbox. Without authentication enforcement, links can be forwarded.
Storing local backups of PHI on devices. Files-on-demand and offline access mean PHI ends up on local storage. Without device encryption and management, lost or stolen devices become breach incidents.
Using OneDrive to back up Outlook PSTs containing patient emails. Backing up email archives to OneDrive amplifies exposure if access controls and retention policies are not configured.
Connecting third-party Office add-ins without a BAA. Many add-ins request access to OneDrive content. Without each add-in vendor's BAA, the access is uncovered.
Treating OneDrive as a long-term clinical record store. OneDrive is not an EHR. Long-term clinical records belong in systems built for healthcare retention, audit, and record-keeping requirements.
How to Configure OneDrive for HIPAA Compliance
These are baseline configurations. Skip them and the BAA gives you contractual coverage without operational protection.
- Sign the Microsoft 365 BAA in the admin center. Microsoft offers the BAA through the Service Trust Portal or as part of the volume licensing agreement. Confirm it is in place.
- Disable anonymous link sharing at the tenant level. Restrict sharing to authenticated internal users by default. Allow external sharing only with named, authenticated recipients.
- Configure conditional access policies. Require MFA for OneDrive access. Require compliant or hybrid-joined devices. Block access from unmanaged devices for PHI-containing tenants.
- Enable sensitivity labels with auto-classification. Use Microsoft Purview Information Protection to detect PHI patterns and apply labels with encryption and access restrictions.
- Configure DLP policies for PHI. Detect SSNs, MRNs, ICD codes, and other healthcare patterns. Block external sharing of files matching DLP rules.
- Set retention policies on PHI libraries. Align retention with HIPAA's six-year minimum for documentation and any state-specific requirements.
- Restrict sync to managed devices. Use Intune or comparable MDM to control which devices can sync OneDrive content. Disable sync on personal devices.
- Enable audit log retention beyond default. Configure 1-year or longer audit retention on E5 or with Audit (Premium) for adequate forensic visibility.
- Review and restrict third-party app permissions. Audit Azure AD app consents quarterly. Remove apps without BAAs that have access to OneDrive content.
- Train workforce on file handling. Sharing decisions are made by humans. Training on minimum-necessary, external sharing rules, and PHI identification is non-negotiable.
Where OneDrive Fits in Your Compliance Program
OneDrive is one storage tier in a Microsoft 365 environment that often spans Outlook, Teams, SharePoint, and a long list of Office add-ins. The BAA covers Microsoft's services. It does not cover the integrations, the third-party apps, or the human decisions about what to store and share.
The compliance program manages all of it. Configuration baselines, sharing policies, DLP rules, and training combine to make OneDrive operationally compliant rather than just contractually eligible.
Patient Protect maps your full Microsoft 365 environment, tracks every vendor BAA, and monitors configuration drift across the integrations and devices that interact with OneDrive content.
Frequently Asked Questions
Is the free OneDrive HIPAA compliant?
No. The free 5 GB OneDrive Basic, the consumer Microsoft 365 Family and Personal plans, and any OneDrive account created from a personal email address are not HIPAA-eligible. Microsoft does not sign BAAs for consumer products.
Does the Microsoft 365 BAA cover OneDrive automatically?
Yes — when the BAA is signed for the commercial Microsoft 365 tenant, OneDrive for Business is included as one of the covered services. You do not need a separate BAA for OneDrive specifically.
Can I use OneDrive to send patient records to a referring provider?
Yes, with proper sharing controls. External sharing must be authenticated, the recipient must accept the share, and ideally sensitivity labels with encryption are applied so the protection persists if the file is forwarded. Avoid anonymous links for PHI under any circumstance.
What about OneDrive for Mac and OneDrive on iPhone?
The OneDrive client on Mac, Windows, iOS, and Android inherits the same coverage as the underlying account. The risk is at the device layer — unmanaged personal devices, lack of encryption, and sync to non-tenant accounts. Use device management to enforce controls.
Is sensitivity labeling required for HIPAA compliance?
Not strictly required by HIPAA. But labeling is one of the most effective controls for enforcing minimum-necessary, blocking external over-sharing, and maintaining protection on files after they leave OneDrive. For practices serious about HIPAA in Microsoft 365, sensitivity labels are the practical baseline.
Can OneDrive replace my EHR for storing patient records?
No. OneDrive is general-purpose file storage. EHRs are designed around clinical record-keeping, retention, audit, and integration requirements that OneDrive does not address. OneDrive can supplement an EHR for documents and shared files, but it should not replace clinical record systems.
Patient Protect tracks your full compliance program — including Microsoft 365 configurations, sharing policies, and integration BAAs — starting at $39/month.