Securing Your Data in OneDrive for Business


Protecting Sensitive Data in OneDrive

OneDrive is a very useful tool for file storage, collaboration, secure file sharing, etc. but if you have access to information, folders, or files that are stored in OneDrive, it is your responsibility as a data owner to ensure that the access permissions enabled for your data meet legal and regulatory (e.g., HIPAA, FERPA, etc.) requirements for protecting the privacy of that information. You must ensure that the folders and file permissions have been set to limit the content so that it is only shared with individuals who are authorized to use and access the information.  

Please carefully review the following information:

Additional information about using OneDrive is available on the Office of Information Technology One-Drive for Business webpage

If you have any questions about securing your data in OneDrive, please contact the CU Anschutz and CU Denver OIT Service Desk at 303.724.4357.

HIPAA Compliance for OneDrive

Microsoft has entered into a Business Associate Agreement (BAA) with the university and OneDrive for Business has been configured for HIPAA compliance. You are still responsible for ensuring that your data is stored and shared securely, however. See the instructions in the previous section for specific guidance on how to do this.  The university’s HIPAA policies and procedures can be found here.

The following measures can also help to ensure HIPAA compliance:

  • Transfer of ownership: remove file access prior to users leaving the university and ensure that ownership has been transferred to another individual as appropriate.
  • File Management: recover or permanently delete files from the recycle bin depending on your department’s specific retention requirements.
  • Review access permissions on a set timeline (every 30 days, every month, etc.)

In addition, the security team recommends that university departments create documentation stating how the department will be using OneDrive with HIPAA data. This documentation is solely for the department’s internal use (e.g., user guides, policies, etc.)

HIPAA compliance depends on all of us. Additional resources: