Is OneDrive HIPAA Compliant? Personal vs. Business Accounts Explained

The short answer is that it depends entirely on which OneDrive product you are asking about.

OneDrive personal — the free storage account tied to a Microsoft personal account — is not HIPAA compliant. Microsoft offers no Business Associate Agreement for personal accounts. Full stop.

OneDrive for Business, which is included with Microsoft 365 business subscriptions, can be HIPAA compliant. Microsoft covers it under the Online Services Data Protection Addendum, which functions as the HIPAA BAA for Microsoft 365. But “can be” requires action from your organization — accepting that DPA and configuring the right access controls.

The Two Products Are Completely Different

The confusion is understandable. Both are called “OneDrive,” both sync files to the cloud, and the interface looks similar. But they operate under different legal terms.

OneDrive personal is a consumer product. It is governed by the Microsoft Services Agreement, which does not include HIPAA coverage. Microsoft has been clear that it does not sign BAAs for consumer services.

OneDrive for Business is an enterprise product governed by the Microsoft Online Services Terms. Microsoft’s HIPAA Business Associate Agreement — the Online Services Data Protection Addendum — applies to this product when the organization accepts it. OneDrive for Business is explicitly listed as a covered service.

How the Microsoft HIPAA BAA Works

Microsoft does not send you a separate document called “HIPAA BAA.” Instead, HIPAA coverage flows through the Online Services Data Protection Addendum (DPA), which is incorporated into your Microsoft 365 subscription agreement.

To make the BAA effective for your organization:

Your organization must be on a qualifying Microsoft 365 plan. Business Basic, Business Standard, Business Premium, and enterprise plans all qualify. Free or personal plans do not.
A Microsoft 365 global administrator must accept the DPA in the Microsoft 365 Admin Center. The path is typically: Admin Center > Settings > Org settings > Security & privacy > Customer lockbox or compliance-related settings. Microsoft updates the exact location periodically — search the Admin Center for “Data Protection Addendum” if the path has changed.
Once accepted, OneDrive for Business, SharePoint Online, Exchange Online, and other covered services are operating under the BAA.

Microsoft publishes a list of covered services under the DPA. Verify OneDrive for Business appears on that list for your plan before storing PHI.

What the BAA Does Not Cover

The BAA is the legal foundation, not the complete compliance program. The Security Rule still requires your organization to implement:

Access controls. Only authorized workforce members should be able to access PHI in OneDrive for Business. Implement Azure Active Directory conditional access policies to enforce this. Restrict external sharing settings in the SharePoint/OneDrive admin center so files cannot be shared publicly or with unauthorized external parties.

Audit logging. Microsoft Purview (formerly Microsoft Compliance Center) provides unified audit logging for OneDrive for Business activity — who accessed files, who shared them, and when. Enable this and ensure logs are retained for the required period (minimum six years for HIPAA compliance documentation).

Data loss prevention (DLP). Configure Microsoft Purview DLP policies to detect and block sharing of files containing PHI outside the organization. DLP policies can identify patterns like Social Security numbers, medical record numbers, and clinical terms, and prevent accidental or intentional exfiltration.

Encryption. Microsoft encrypts OneDrive for Business data at rest and in transit by default. You do not need to configure this separately, but you should document it as part of your Security Rule risk analysis.

The Personal Account Risk

The most common compliance failure is employees using personal OneDrive accounts to store work files.

An employee who receives a patient document by email and saves it to their personal OneDrive — even on a work laptop — has stored PHI outside any BAA. The organization’s Microsoft 365 BAA does not extend to personal accounts. This is a violation regardless of the employee’s intent.

Mitigations: configure Microsoft Endpoint Manager (Intune) or another MDM solution to block personal cloud storage accounts on managed devices. Use known folder move (KFM) to automatically route desktop, documents, and pictures folders to OneDrive for Business rather than personal sync clients. Train staff that personal cloud storage and work files do not mix.

OneDrive for Business vs. SharePoint

Both are covered under the Microsoft DPA, and both can store PHI under the same BAA. The practical distinction: OneDrive for Business is per-user storage (each staff member’s files). SharePoint Online is shared team and organizational storage (shared drives, project libraries, intranet sites).

Organizations using both operate under the same BAA. There is no need to negotiate separate agreements for each product.

The Bottom Line

If your practice stores any patient files in the cloud and you use Microsoft 365, verify two things: your plan is a qualifying business plan, and your administrator has accepted the Microsoft Online Services DPA. If both are true, OneDrive for Business can legally hold PHI.

If anyone in your organization uses free personal OneDrive accounts for work files, that is the more urgent problem to address. No configuration change makes a personal account compliant — the only fix is moving those files to OneDrive for Business and blocking personal account access on work devices.

Like what you're reading?

Try PHIGuard free — no credit card required.

Business Associate Agreement (BAA): A written contract required by HIPAA between a covered entity (your practice) and a vendor that handles protected health information (PHI) on your behalf. The BAA defines the vendor's obligations to safeguard PHI and report breaches. Without a signed BAA, using a cloud storage service for PHI is a HIPAA violation.

Microsoft Online Services Data Protection Addendum (DPA): Microsoft's standard contract that serves as the HIPAA Business Associate Agreement for covered Microsoft 365 and Azure services. It is not a separate document — it is incorporated into the Microsoft 365 subscription agreement and must be explicitly accepted in the Microsoft 365 Admin Center by an account administrator.

OneDrive for Business: Microsoft's cloud storage product for organizations, included with Microsoft 365 business plans. It is distinct from OneDrive personal (free consumer accounts). OneDrive for Business is a covered service under the Microsoft HIPAA DPA; personal OneDrive accounts are not.

Protected Health Information (PHI): Any individually identifiable health information transmitted or maintained in any form or medium by a covered entity or business associate. This includes patient names linked to diagnoses, appointment records, test results, billing information, and any other data that could identify a patient and relate to their health or healthcare services.

Q&A

Is OneDrive HIPAA compliant for storing patient files?

OneDrive for Business under a Microsoft 365 business plan can be HIPAA compliant for storing patient files when the organization has accepted the Microsoft Online Services Data Protection Addendum (the HIPAA BAA). Personal OneDrive accounts are never compliant for PHI storage — Microsoft offers no BAA for them.

Q&A

How do I make OneDrive for Business HIPAA compliant?

Three steps: (1) Ensure your organization is on a qualifying Microsoft 365 business plan (Business Basic, Business Standard, Business Premium, or an enterprise plan). (2) Have your Microsoft 365 global administrator accept the Online Services Data Protection Addendum in the Microsoft 365 Admin Center under Settings > Org settings > Security & privacy. (3) Configure access controls — conditional access policies, audit logging in Microsoft Purview, and DLP policies to prevent unauthorized external sharing of PHI.

Q&A

Does the Microsoft 365 HIPAA BAA cover OneDrive and SharePoint?

Yes. Both OneDrive for Business and SharePoint Online are listed as covered services under the Microsoft Online Services Data Protection Addendum for qualifying Microsoft 365 business plans. Organizations using both services for PHI storage operate under the same BAA.

Want to learn more?

Learn More

Is OneDrive HIPAA compliant?

It depends on the account type. OneDrive personal (free) accounts are not HIPAA compliant — Microsoft does not sign a BAA for personal accounts. OneDrive for Business under a qualifying Microsoft 365 business plan can be HIPAA compliant when the organization accepts the Microsoft Online Services Data Protection Addendum, which covers OneDrive for Business as a listed service.

What is the Microsoft HIPAA BAA?

Microsoft provides HIPAA coverage through its Online Services Data Protection Addendum (DPA), not a separate document labeled 'HIPAA BAA.' The DPA covers a defined list of Microsoft 365 services, including OneDrive for Business, SharePoint Online, and Exchange Online, when the organization is on a qualifying business plan. Accepting this DPA in the Microsoft 365 Admin Center is how an organization establishes the BAA relationship.

Can a free OneDrive account be made HIPAA compliant?

No. Microsoft does not offer a BAA for personal OneDrive accounts under any circumstances. A covered entity storing PHI in a personal OneDrive account has no legal protection and is in violation of HIPAA regardless of how the files are named or organized.

What if an employee uses their personal OneDrive on a work computer?

Personal OneDrive accounts are not covered by the organization's Microsoft 365 BAA, even if the employee accesses it on a work device. PHI stored in a personal OneDrive account is a violation. Organizations should use mobile device management (MDM) or endpoint policies to prevent access to personal cloud storage on work devices.

Is OneDrive for Business the same as SharePoint?

They are related but distinct. OneDrive for Business is individual cloud storage for each user. SharePoint Online is the shared document library and intranet platform. Both are covered under the Microsoft Online Services DPA for qualifying M365 business plans. Many organizations use both, and both can be compliant under the same BAA.

Do I need to configure anything beyond accepting the Microsoft DPA?

Yes. The BAA is the legal foundation, but the Security Rule also requires access controls, audit logging, and data loss prevention. In practice: configure conditional access policies to restrict who can access OneDrive for Business, enable audit logging in the Microsoft Purview compliance portal, and use sensitivity labels or DLP policies to prevent PHI from being shared externally without authorization.

Keep reading

Is Microsoft Teams HIPAA Compliant? What Medical Practices Need to Know

Microsoft Teams can be HIPAA compliant, but only with the right Microsoft 365 plan, a signed BAA, and careful configuration. Here's what small practices need to know before using it for anything involving PHI.

Is SharePoint HIPAA Compliant?

SharePoint Online within Microsoft 365 can be HIPAA compliant, but only after signing Microsoft's BAA and restricting external sharing. Here is what small clinics need to know.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.