In modern medical and dental offices, paper charts and local filing cabinets have been replaced by cloud file storage. For practices utilizing Microsoft 365, the two primary file storage and sharing tools are OneDrive for Business and Microsoft SharePoint Online. While both tools run on similar underlying cloud architectures, they serve vastly different functions in a clinical setting.
A major area of confusion for practice managers and doctors is determining whether OneDrive and SharePoint are HIPAA-compliant out of the box, and which tool is best suited for sharing Protected Health Information (PHI). Failing to structure your cloud files correctly can lead to catastrophic compliance breaches, such as accidental external file sharing, unlogged user access, or data encryption by ransomware syncing to the cloud.
Crucial Requirement: Neither OneDrive nor SharePoint is HIPAA-compliant by default. Microsoft will sign a Business Associate Agreement (BAA), but this only guarantees Microsoft secures their servers. You are legally responsible for configuring sharing controls, auditing, and user permissions to meet the HIPAA Security Rule.
The Fundamental Difference: OneDrive vs. SharePoint
To choose the right tool for your healthcare workflow, you must understand their structural differences:
- OneDrive for Business (Individual Storage): Think of OneDrive as your personal, digital "My Documents" folder. It is designed for individual employees to draft and store files that are not yet ready for team-wide sharing. Each employee has their own OneDrive storage quota, and files remain private unless explicitly shared with another user.
- Microsoft SharePoint (Team Storage): SharePoint is a collaborative document management platform. It acts as the digital "Shared Network Drive" (e.g., your old local F: or G: drive) for the entire practice. Files stored in a SharePoint document library are automatically shared with all members of that SharePoint site, based on predefined security group permissions.
Comparing OneDrive and SharePoint for Healthcare Use Cases
| Feature / Metric | OneDrive for Business | Microsoft SharePoint |
|---|---|---|
| Primary Design Intent | Individual storage and drafting private business files. | Team-wide document management and central clinical portals. |
| Sharing Default Settings | Private to the user. Sharing requires manual links. | Shared automatically with members of the security group. |
| Handling ePHI | Recommended only for temporary, draft, or single-user clinical notes. | Highly recommended for patient charts, billing, HR, and templates. |
| Permission Management | Managed individually by each employee (High risk of error). | Managed centrally by IT Admins using Azure Active Directory / Entra ID. |
| Ransomware Protection | File version history exists, but local sync folders can sync encryption. | Advanced versioning, retention policies, and administrative rollback controls. |
Executing a Business Associate Agreement (BAA) with Microsoft
Before any files containing ePHI can be uploaded to OneDrive or SharePoint, your practice must execute a Business Associate Agreement (BAA) with Microsoft. The BAA is a legal contract that binds Microsoft to HIPAA regulations and establishes their liability for securing the physical servers and database layers of the M365 cloud.
Fortunately, Microsoft makes this process simple. Unlike other vendors who require custom legal negotiations, Microsoft automatically applies its standard BAA to all Business and Enterprise plans through the Online Services Terms (OST). However, to verify your BAA is legally active for an audit, your IT administrator should download and document the BAA from the Microsoft 365 Admin Center or the Trust Portal, keeping it on file with your practice policies. It is important to note that lower-tier consumer accounts (like free Outlook.com or personal OneDrive) do not support BAAs and are strictly forbidden under HIPAA.
Step-by-Step BAA Verification in Microsoft 365
To verify that Microsoft's BAA covers your account: First, log into the Microsoft 365 Admin Center using global administrator credentials. Navigate to the "Org Settings" menu under "Settings" on the left-hand navigation pane. Under the "Security & Privacy" tab, search for the "HIPAA BAA" status or click on the link to the Microsoft Service Trust Portal. In the Service Trust Portal, you can access and download the official "Microsoft Online Services HIPAA Business Associate Agreement" PDF. Verify that your tenant ID is listed and print or save this document to your compliance folder. This verified file will serve as primary audit evidence showing that your cloud vendor is legally bound to protect your medical data.
Step-by-Step Checklist to Make SharePoint HIPAA-Compliant
Since SharePoint acts as your central document repository, it is the primary target for compliance audits. Follow this technical checklist to ensure your SharePoint document libraries are secure and compliant:
1. Disable Anonymous and Public Sharing Links
By default, Microsoft 365 allows users to generate "Anyone" links, which let anyone with the URL access a document without logging in. This is a severe HIPAA risk. If an employee accidentally sends an "Anyone" link containing patient charts, that data is public.
- Block "Anyone" Links: Log into the SharePoint Admin Center and restrict external sharing options. Force links to only work for "Existing Guests" or "People in Your Organization."
- Set Link Expirations: For permitted external sharing (e.g., sending records to a specialized lab), mandate that all guest sharing links expire automatically after 7 to 30 days.
2. Establish Group-Based Access Control
HIPAA’s "Minimum Necessary" standard requires that employees only have access to the specific patient records necessary to perform their jobs. A receptionist does not need access to employee HR files or detailed financial audits, and a contractor should not have access to the primary patient database.
- Create Security Groups: Set up Active Directory (Entra ID) security groups (e.g., Front Desk, Clinical Staff, Management).
- Assign Group Permissions: Map SharePoint Document Libraries to these security groups. Never assign folder permissions to individual users manually.
3. Turn on Unified Audit Logging
In a compliance audit, you must prove that you track who accesses, modifies, or downloads files containing ePHI. Microsoft 365 maintains a detailed audit log, but it must be turned on and configured correctly.
- Enable Microsoft 365 Audit Log: Confirm that search audit log tracking is active in the Microsoft Purview compliance portal.
- Extend Log Retention: By default, M365 keeps audit logs for 90 days. For HIPAA, implement retention policies to preserve audit logs for at least one year.
4. Implement Data Loss Prevention (DLP) Policies
DLP policies automatically scan SharePoint files for sensitive information—like Social Security Numbers, Credit Card details, or Medical Record numbers—and prevent users from sharing those files externally without authorization.
- Enable HIPAA DLP Templates: Utilize Microsoft's built-in HIPAA/HITECH DLP templates to scan document libraries in real-time.
- Set Action Controls: Configure the system to automatically block the email transmission of files flagged with HIPAA sensitive content, and alert your compliance officer.
Sensitivity Labels and Microsoft Purview Information Protection
To further secure your ePHI, you can implement Microsoft Purview Information Protection (formerly Azure Information Protection). This service allows you to create **Sensitivity Labels** (such as "Confidential - ePHI" or "Highly Confidential - Medical Records") that can be applied to files in SharePoint or emails in Outlook.
When a sensitivity label is applied to a document, it automatically injects persistent metadata into the file that enforces security settings no matter where the file goes. For example, if a document labeled as "Confidential - ePHI" is downloaded to a USB drive or emailed to a personal address, Microsoft 365 verifies the user's identity online before opening. If the user is outside the organization, the file remains encrypted and unreadable. You can also configure sensitivity labels to disable copy/paste, prevent screenshot capturing, and block file printing on clinical workstations, closing a common loophole where staff members accidentally leak ePHI by exporting records to unsecured files.
Version History vs. Independent Cloud Backups
Microsoft SharePoint features a built-in "Version History" utility that allows users to view and restore previous versions of a document. While this utility is extremely helpful for recovering from minor user mistakes, it is not a true backup solution. If your local computer sync folder is hit by a sophisticated ransomware variant, it can encrypt local files and sync those changes to the cloud. While you could technically roll back each file version manually, doing so for tens of thousands of clinical documents is practically impossible.
To comply with the HIPAA Backup and Disaster Recovery standard, practices must implement an independent, third-party Microsoft 365 backup tool (such as Veeam, Datto SaaS Protection, or AvePoint). These tools run automated daily backups of your entire OneDrive, SharePoint, and Exchange databases to an isolated cloud environment that is completely separate from your Microsoft tenant. If ransomware compromises your M365 account, your IT security team can execute a clean, bulk restoration of your files, ensuring zero data loss and minimal operational downtime.
Managing the Sync Client and Offline Files Safely
The Microsoft OneDrive Sync Client allows users to sync SharePoint folders directly to their local Windows or Mac computers, making files accessible via File Explorer. While convenient, syncing ePHI to local computers creates massive compliance risks.
If an employee syncs patient records to a personal laptop and that laptop is stolen, it is a major data breach unless the drive is encrypted. To secure synced folders, Business PC Support implements Mobile Device Management (MDM) through Microsoft Intune. We enforce BitLocker drive encryption, disable syncing to personal (BYOD) devices, and configure remote wipe protocols so that if a device goes missing, clinical data is destroyed instantly before it can be read.
Summary: Which Tool Wins?
For a HIPAA-compliant medical or dental office, SharePoint is the clear winner for primary file storage. It allows central management, robust logging, group security permissions, and enterprise-level compliance monitoring. OneDrive should be restricted to draft, non-sensitive business files and personal employee notes.
If you need assistance migrating your physical server files to a secure cloud or auditing your Microsoft 365 tenant, read about our Network Infrastructure Services or contact our compliance IT specialists.