Microsoft OneDrive for Healthcare
OneDrive for Healthcare appears to be a hot topic. At IT Networks, we are frequently asked by both our clients, and other professionals who work in Healthcare, whether Microsoft OneDrive is okay for storing and sharing patient data.
Clarifying this question is important because just like “position, position, position” matters in real estate, healthcare is all about “compliance, compliance, compliance”.
So, below I aim to provide a definitive answer this question and highlight what a Medical Practice needs to have in place to use OneDrive or Microsoft 365 to effectively store patient data.
Effective Health Service Equals Compliance
Australia has some of the most stringent patient privacy and confidentiality laws in the developed world. In Australia, we have the Privacy Act 1988 that is used to ensure compliance. In 1996, the United States passed a law that brings together a broad range of patient privacy and confidentiality rules in one neat package, called the American Health Insurance Portability and Accountability Act (HIPAA). Microsoft, being an American company, aligns itself to the HIPAA standard.
While not entirely the same, the Privacy Act 1988 is largely the Australian counterpart to HIPAA. If your software is configured to be HIPAA compliant then the software itself will meet many of the Australian requirements you need. However, your practice still needs to operate in accordance with the privacy act and other relevant Australian standards.
Microsoft 365 and OneDrive
Microsoft 365 is a subscription based service that consists of many different applications that provide collaboration, storage, security and management in a software as a service product for business environments. Microsoft OneDrive is one of the applications provided in a Microsoft 365 subscription.
First and foremost, it is important to understand the fact that Microsoft 365 is HIPAA compliant if the medical practice takes the necessary steps to ensure this compliance is met. Microsoft have released a white paper on this very topic that I will endeavour to explain in simple terms in this article.
Put very simply, Microsoft 365 needs to be setup in a certain manner for it to be HIPAA Compliant. Using OneDrive for Healthcare comes under this banner. Taken directly from the Microsoft Whitepaper, this is what is required:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information (“ePHI”) created, received, maintained, or transmitted.
- Regularly review system activity records, such as audit logs, access reports, and security incident tracking reports.
- Establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process containing ePHI.
- Monitor login attempts and report discrepancies.
- Identify, respond to and document security incidents.
- Obtain satisfactory assurances from their vendors before exchanging ePHI (i.e. Business Associates).
All of the above may be overwhelming for a health professional. I’d like to emphasise that as a healthcare professional, you do NOT need to understand all of these specifics. A competent IT manager, or project manager can configure everything required quickly and easily in the Office 365 Security and Compliance Center.
As an external IT Partner, we have seamlessly achieved compliance for many practices who have either moved to Microsoft 365 or were already using it. A surprising number of practices already using their Microsoft 365 Subscription are not aware they would not pass an Australian compliance audit. One of the most common shortfalls we come across is practices not turning on Multi-Factor Authentication. Is your practice up to date with this?
What Else is Required?
To ensure compliance there are things that need to be setup and things that need to be monitored on an ongoing basis. Points 2,4 and 5 listed above from the Microsoft White Paper require ongoing monitoring and management to remain compliant. Please check this link if you require ongoing services to keep you compliant.
Other things to consider when using Microsoft 365 or any of the applications provided with the subscription is the amount of data a medical practice generates. The modalities used in most practices are capable of generating and transmitting very large volumes of data.
Finally, it’s important to realise that if your Microsoft 365 traffic is competing with the data being generated by your modalities, a considerable amount of bandwidth is required to support sustained transmission. Therefore, the the router needs to be capable of supporting all this traffic and any medical imaging data needs to be encrypted if it is leaving your practice.
Was this information helpful? Let me know if you have any questions or need more hands-on support.