OneDrive HIPAA Configuration Guide: The 8-Step Lockdown (2026)
OneDrive Business is HIPAA-eligible. The default settings are not. This is the 8-step tenant + sharing + DLP + audit configuration that takes a fresh Microsoft 365 deployment from eligible to actually compliant.

OneDrive HIPAA Configuration Guide: The 8-Step Lockdown (2026)
This guide assumes you have already decided to use OneDrive for Business on a Microsoft 365 commercial plan with a signed BAA. If you are still in the research phase, the companion post — "Is OneDrive HIPAA Compliant?" — covers the buy/don't-buy decision. This is the implementation guide for the practices that have already decided.
The single biggest failure pattern with OneDrive in healthcare is not the BAA. The BAA is on file. The pattern is that the practice deploys Microsoft 365, signs the BAA, and never opens the SharePoint Admin Center or the Microsoft Purview Compliance Portal — leaving seventeen security-relevant toggles in their default position. Several of those defaults create HIPAA exposure on day one. This is the step-by-step that closes them.
Step 1: Verify the BAA Scope and Tenant Type
Before configuration work begins, verify the foundation.
BAA in place. Microsoft's BAA is offered automatically with most commercial Microsoft 365 subscriptions but is conditional on accepting Microsoft's Online Services Terms (OST) and the HIPAA Business Associate Agreement appendix. Confirm acceptance in the Microsoft 365 Admin Center under Billing → Your products → Microsoft Online Services agreement.
Tenant type. Verify your tenant is on a commercial plan. Microsoft 365 Family, Personal, and the consumer OneDrive standalone do not qualify regardless of how the BAA paperwork looks. The Admin Center will display the SKU under each user license.
No mixed-tenant configuration. If your practice operates multiple Microsoft 365 tenants (common after M&A or franchise expansion), each tenant needs its own BAA. The BAA is tenant-scoped, not organization-scoped.
Configuration work without these three confirmations is premature. Get the foundation right before touching the toggles.
Step 2: Tenant-Level Settings (Microsoft 365 Admin Center)
In Microsoft 365 Admin Center → Settings → Org settings:
Microsoft Purview audit logging. Should be ON. This is the master switch for audit retention. New tenants in 2024+ have it on by default; older tenants may not.
Modern authentication. Should be ON. Legacy authentication protocols (POP, IMAP, SMTP basic auth) bypass MFA and are not appropriate for any account that touches PHI.
Self-service password reset. Should be ON with MFA challenge. If a clinician forgets their password and the reset path is a security question, the practice's authentication surface is weaker than its perimeter.
User consent to apps. Should be set to "Do not allow user consent" or "Allow user consent for verified publishers, for selected permissions." Default is "Allow user consent for any app" — meaning any clinician can authorize a third-party app to access their OneDrive without admin review.
This last one is responsible for more HIPAA findings than the entire DLP configuration. Lock it down on day one.
Step 3: SharePoint Admin Center — Sharing Defaults
OneDrive runs on SharePoint infrastructure. The OneDrive sharing settings are SharePoint sharing settings under a different label. In SharePoint Admin Center → Policies → Sharing:
External sharing for OneDrive. Change from "Anyone" (default) to "New and existing guests" at minimum. For tightest control, "Only people in your organization" — though this restricts legitimate cross-organization collaboration.
Sharing link defaults. Verify the default is "Specific people" (Microsoft changed this default for new tenants in July 2024, but older tenants may still default to "Anyone with the link" until explicitly changed). Setting "Specific people" determines what users see when they click Share without thinking about the settings.
Link expiration. Set to 30 days maximum for "Anyone" links if you must allow them at all. Default is "Never expires," which is exactly wrong for PHI.
Link permission default. Set to "View" not "Edit." A clinician who needs to share a referral document for editing can change the permission per-link; defaulting to Edit creates accidental write access on every share.
External user access expiration. Set to 60 days. Forces re-authentication and revisit of permissions on long-standing external collaborations.
These five toggles, individually, look minor. Together, they are the difference between OneDrive that follows HIPAA's minimum-necessary principle and OneDrive that leaks PHI through guest links nobody reviewed.
Step 4: External Sharing Per OneDrive User
Beyond the tenant default, individual OneDrive accounts can have their sharing settings further restricted in SharePoint Admin Center → More features → OneDrive admin center → Sharing.
Limit accidental exposure. Set "External sharing" at the OneDrive level to match or be more restrictive than the SharePoint tenant default. The OneDrive setting overrides the SharePoint setting downward only — it cannot loosen tenant policy, only tighten it.
Block specific domains. If your practice has reason to block sharing with specific external domains (a former competitor, a vendor relationship that ended), the domain block list lives in OneDrive sharing settings. Keep this list current.
Notification on external share. Enable notifications to admins when an OneDrive user shares with an external email. This is the audit trail that survives an OCR inquiry about how a specific document ended up at a specific recipient.
Step 5: Data Loss Prevention (DLP) for PHI Patterns
Microsoft Purview includes pre-built DLP policy templates for "U.S. Health Insurance Act (HIPAA)" that detect PHI patterns in document content and emails. These are not enabled by default — the policies must be turned on and tuned.
In Microsoft Purview Compliance Portal → Data loss prevention → Policies:
Enable the HIPAA template. Use the built-in U.S. HIPAA template as the starting point. It detects U.S. Social Security numbers, U.S. and U.K. health insurance numbers, ICD-10/ICD-9 codes, and common PHI patterns.
Tune the sensitivity. The default thresholds may produce false positives or false negatives depending on the practice's document mix. Run the policy in "Test with policy tips" mode for two weeks before enforcement to calibrate.
Apply across the workload. Apply DLP to Exchange (email), OneDrive, SharePoint, and Teams in the same policy. Most early-stage policies apply only to email — leaving the OneDrive surface unmonitored.
Block external sharing of PHI documents. Configure the policy action to block external sharing when PHI is detected, with an override option for clinicians who genuinely need to share (the override is logged for audit).
Notify admins on policy match. Configure notifications so the compliance officer learns of policy matches in near-real-time, not at quarterly review.
DLP is not perfect. It will miss handwritten patient identifiers in PDF scans and will flag administrative documents that mention SSNs in non-PHI context. But it is the highest-leverage detection control available in the Microsoft 365 stack — and it is off by default.
Step 6: Sync Client Controls
OneDrive's sync client is the dominant mechanism by which PHI ends up on devices that the practice does not control. Lock it down.
In SharePoint Admin Center → Settings → Sync:
Allow sync only on managed devices. Enable "Allow syncing only on computers joined to specific domains" or use Conditional Access (Step 8) for finer control. The blanket alternative — allow sync from any device — means PHI ends up on personal laptops, home computers, and family devices.
Block sync of file types. Block sync of file extensions that should not be on local devices — large database exports (.bak), virtual machine images (.vhd), and any local-only formats your practice does not use. Reduces accidental local replication of PHI.
Sync client minimum version. Enforce a minimum OneDrive sync client version. Old sync clients have known security issues; current versions self-update but blocking old clients prevents a regression.
Step 7: Audit Log Retention Beyond 90 Days
HIPAA's minimum log retention is six years. Microsoft 365's default audit log retention is 180 days for Audit (Standard) — 1 year for Audit (Premium) on E5 / Microsoft Purview Suite — both still well short of HIPAA's six-year minimum.
In Microsoft Purview Compliance Portal → Audit → Audit retention policies:
Create a tenant-wide audit retention policy. Set retention to ten years (longer than HIPAA's six-year minimum, to absorb state-law overlays that push to seven or longer).
Verify the policy covers all relevant activity types. OneDrive access events, file sharing events, sign-in events, admin changes — all should be in scope.
Verify the policy applies tenant-wide. Audit retention policies can be scoped to specific users or activities. The default for a HIPAA tenant should be broad.
Test retrieval. Run a Purview audit search for an event older than the default retention window (180 days for Standard, 1 year for Premium). If the search returns results from beyond that window, your extended retention is configured correctly. If it returns nothing past the default, the policy is not effective yet.
Audit log retention is the single configuration item most likely to cause an OCR finding to escalate from "documentation deficiency" to "willful neglect." The logs of who accessed what, when, must be available six years later. If they're not, the practice cannot prove its access controls were enforced.
Step 8: Conditional Access Policies
The final lockdown. Conditional Access requires Azure AD Premium P1 or P2 (included in Microsoft 365 Business Premium and above; add-on otherwise).
In Microsoft Entra → Conditional Access → Policies:
Require MFA for all users. No exceptions for "service accounts" or "the boss's account." If the account can access PHI, MFA is required.
Block legacy authentication. Prevents bypass of MFA via outdated protocols.
Require compliant device for PHI access. Devices accessing OneDrive must be enrolled in Intune (or your MDM of choice) and meet compliance policy. Personal devices accessing PHI without management is one of the most common findings in OCR audits of cloud-hosted practices.
Block high-risk sign-ins. Configure risk-based Conditional Access to block sign-ins from anonymous IPs, impossible-travel scenarios, or unfamiliar locations.
Session controls for unmanaged devices. If you must allow PHI access from unmanaged devices (BYOD reality), use Conditional Access App Control to restrict download, copy/paste, and printing.
The OneDrive-Specific Gotchas
Five things that catch even careful Microsoft 365 administrators:
OneDrive recycle bin retention. Deleted items in OneDrive go to the user's recycle bin for 30 days, then to the second-stage recycle bin for another 93 days. Total 123-day delay before permanent deletion. For PHI you intended to delete on a retention schedule, this matters.
Shared with me does not include shared by me. When auditing what a user can access, "Shared with me" is half the picture. The other half is what they have shared, which requires SharePoint audit logs to surface.
Microsoft Teams files live in SharePoint, not OneDrive. A clinician who uploads a PHI file to a Teams channel is creating a SharePoint document, not a OneDrive document. The DLP, audit, and sharing policies must apply to both surfaces — Teams file activity is often missed in initial configuration.
External users can re-share. Once you've shared a OneDrive document with an external guest, that guest can re-share it with additional recipients (unless explicitly blocked). The re-share is logged but does not require your approval.
The "Shared with everyone" folder. Older Microsoft 365 deployments created a "Shared with everyone" folder in each user's OneDrive by default. New tenants do not. If you migrated from an older tenant, verify this folder does not exist with PHI in it.
How Patient Protect Helps
The Microsoft 365 tenant is one of dozens of systems an independent practice operates. The seventeen toggles in this guide are configurations that must be set, but more importantly, they must be set and remain set. Drift is the failure mode — a junior admin re-enables a setting six months later because a clinician complained about a workflow.
Patient Protect monitors your Microsoft 365 tenant configuration against the HIPAA baseline daily. When a setting drifts — anonymous sharing turned back on, DLP policy weakened, audit retention reduced — the platform surfaces it before the next OCR inquiry does. For a practice without a dedicated Microsoft 365 administrator, this is the difference between a configuration that's correct on day one and a configuration that stays correct through staff turnover and Microsoft's feature updates.
The BAA is the easy part. The eight steps above are the work. Keeping them in place is the discipline.

