HIPAA & BAA · Cloud storage (Microsoft 365)
Is Microsoft OneDrive HIPAA compliant?
Yes, but only as OneDrive for Business under the Microsoft 365 BAA — not standalone consumer OneDrive. OneDrive for Business is an in-scope service under Microsoft's HIPAA BAA, included via the Microsoft Online Services Data Protection Addendum.
Key facts
- BAA available: Yes — with a signed BAA
- What it takes: Eligible Microsoft 365 / OneDrive for Business plan (not consumer OneDrive)
- Official source: Microsoft — HIPAA/HITECH compliance offering — https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech (verified 2026-06)
How to use Microsoft OneDrive in a HIPAA-compliant way
- Subscribe to an eligible Microsoft 365 / OneDrive for Business plan.
- Confirm the Microsoft HIPAA BAA applies via the Online Services Data Protection Addendum (available by default to HIPAA covered entities/business associates).
- Verify OneDrive for Business is an in-scope service for your workloads.
- Configure security controls and policies to meet HIPAA requirements.
- Keep records of the applicable BAA/DPA terms.
Important caveats
- Coverage applies to OneDrive for Business within Microsoft 365 — consumer OneDrive is not covered and must not store PHI.
- Only in-scope services are covered; verify your specific workloads are listed.
- The BAA alone does not ensure compliance; you must implement appropriate controls and configuration.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Microsoft OneDrive correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Microsoft OneDrive.
Frequently asked questions
Does Microsoft OneDrive sign a BAA?
Yes. Eligible Microsoft 365 / OneDrive for Business plan (not consumer OneDrive) A signed BAA is required before any PHI is involved.
Is Microsoft OneDrive HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Microsoft OneDrive offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Microsoft OneDrive with PHI?
Coverage applies to OneDrive for Business within Microsoft 365 — consumer OneDrive is not covered and must not store PHI.
