OneDrive is a very useful tool for file storage, collaboration, secure file sharing, etc. but if you have access to information, folders, or files that are stored in OneDrive, it is your responsibility as a data owner to ensure that the access permissions enabled for your data meet legal and regulatory (e.g., HIPAA, FERPA, etc.) requirements for protecting the privacy of that information. You must ensure that the folders and file permissions have been set to limit the content so that it is only shared with individuals who are authorized to use and access the information.
Please carefully review the following information:
Additional information about using OneDrive is available on the Office of Information Technology One-Drive for Business webpage.
If you have any questions about securing your data in OneDrive, please contact the CU Anschutz and CU Denver OIT Service Desk at 303.724.4357.
Microsoft has entered into a Business Associate Agreement (BAA) with the university and OneDrive for Business has been configured for HIPAA compliance. You are still responsible for ensuring that your data is stored and shared securely, however. See the instructions in the previous section for specific guidance on how to do this. The university’s HIPAA policies and procedures can be found here.
The following measures can also help to ensure HIPAA compliance:
In addition, the security team recommends that university departments create documentation stating how the department will be using OneDrive with HIPAA data. This documentation is solely for the department’s internal use (e.g., user guides, policies, etc.)
HIPAA compliance depends on all of us. Additional resources: