HIPAA Compliance for OneDrive for Business

When the University of Colorado of Denver | Anschutz Medical Campus shares information, internally or externally, it is important that the confidentiality, integrity, and availability of that data be preserved. That is no small task, especially with so many cloud storage options available. Microsoft has entered into a Business Associate Agreement (BAA) with the university. This agreement helps provide university students, faculty, and staff with a tool for collaboration and secure file sharing, OneDrive for Business.  

OneDrive for Business is different from OneDrive, which is a consumer product for personal use. If you have a OneDrive account for personal use, use caution when selecting OneDrive to save or share a file. Be sure to choose “OneDrive – The University of Colorado Denver.”

OneDrive for Business is configured for HIPAA compliance; however, you should be careful with the type of data stored and with whom and how the data is shared (same university HIPAA policies and procedures apply). By default, files stored and/or created in the OneDrive for Business are set to private. You can share files or folders with one or more individuals, choose to grant access that is read-only, or you can grant permission to edit the file.

However, OIT strongly recommends turning off the sharing permissions for files if access is not needed for anyone else. In addition, when using CU's OneDrive with HIPAA data, departments should review the following recommendations:

  • Folder management: use folders to separate and organize all shared and private files
  • Manage sharing permissions for each file: turn on/off
  • Manage download permissions for each file: turn on/off
  • Transfer of ownership: remove file access prior to users leaving the university through file transfer of ownership
  • File Management: recover or permanently delete files from the recycle bin depending on your department's specific retention requirements
  • Review access permissions on a set timeline (every 30 days, every month etc.)
  • Additionally, the security team recommends that university departments create documentation stating how the department will be using OneDrive with HIPAA data. Note, this documentation is solely for the department internally (ex. user guides and workflow polices).  

OneDrive for Business how-to links:

 

HIPAA Compliance Depends on all of us. Additional resources:

If you have any questions regarding this service, please contact the CU Denver | Anschutz Medical Campus OIT Service Desk at 303.724.4357.