Microsoft’s OneNote can be seamlessly integrated into apps, tablets, and PCs, making it a convenient tool for quick note-taking. Moreover, you can use it to create digital notebooks with screenshots and other multimedia files. However, health workers should be careful when using the app to handle sensitive personal information lest they violate HIPAA rules.
Let’s consider how to enable compliance in OneNote below.
Table of Contents
Is OneNote HIPAA Compliant?
The short answer is yes, OneNote can be HIPAA-compliant as long as Microsoft can provide a Business Associate Agreement (BAA) for the Microsoft 365 product you use. Moreover, you should use and configure the note-taking software and all its integrated apps for HIPAA compliance.
OneNote comes with Office 2019 and Microsoft 365. It also works as a standalone. However, Microsoft Compliance documentation only mentions HIPAA compliance with the following list of in-scope cloud platforms and services. Note that the list includes Office 365, now known as Microsoft 365.
- Azure and Azure Government
- Azure DevOps Services
- Dynamics 365 and Dynamics 365 U.S. Government
- Intune
- Microsoft Defender for Cloud Apps
- Microsoft Healthcare Bot Service
- Microsoft Managed Desktop
- Dynamics 365, Intune, and other Microsoft Professional Services
- Office 365, Office 365 U.S. Government
- Power Automate cloud service, either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- PowerApps cloud service, either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service, either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Windows 365
Let’s take a look at some of the key features that enable OneNote compliance:
Microsoft offers a BAA
Microsoft provides the required legal agreement under HIPAA for covered entities and business associate customers. The lack of a signed BAA hinders any software from claiming HIPAA compliance.
Microsoft undergoes auditing
Microsoft has obtained ISO/IEC 27001 and HITRUST CSF certifications. The company correctly states that there is no HIPAA certification standard recognized by the Department of Health and Human Services (HHS). However, it still undergoes audits conducted by third-party auditors to ensure that you can use its products securely.
OneNote Cloud Storage Is HIPAA-compliant
OneNote stores data on Microsoft OneDrive by default. As part of Microsoft 365, OneDrive can also be used in a HIPAA-compliant manner as long as it is appropriately configured and you have a duly signed BAA with Microsoft.
Security features
Microsoft 365 Business plans include security features for your business to comply with HIPAA’s technical safeguards. These features include multi-factor authentication, security defaults, administrator accounts, and email protection. Microsoft 365 Enterprise plans, on the other hand, have employed protection for lost or stolen credentials. It also has real-time threat analytics and data travel control.
Moreover, OneNote for Microsoft 365 on Windows autoblocks risky file extensions. This protects you from threats that cyberattacks include in embedded files with dangerous extensions.
Configure OneNote for Secure Healthcare Note-Taking
Healthcare professionals and organizations trust the OneNote digital note-taking app with protected health information. To further ensure OneNote HIPAA compliance, follow these tips:
- Make sure that you have a BAA with Microsoft.
- Use the Microsoft Purview Compliance Manager to help you automatically assess compliance.
- Use a password for your digital notebooks on OneNote. Notebook sections can be protected with passwords, which lock all its pages.
- Keep your apps updated and patched to avoid security risks.
- Don’t use unsecured third-party apps with OneNote.
- Provide HIPAA training for all staff using OneNote and other online apps.
- Conduct regular risk assessments to identify possible threats in your system.
- Turn on multi-factor authentication in Microsoft 365. MFA helps ensure that only authorized persons can access your data.
- Implement HIPAA Security Rules and follow administrative, technical, and physical safeguards.
Use HIPAA-Compliant Note-Taking Solutions
There’s no need to complicate things over OneNote and HIPAA compliance. As long as you follow proper guidelines and obtain a signed BAA from Microsoft, you can count on this note-taking software to safely keep all your health notes, PHI included. Or, you can evaluate other HIPAA-compliant alternatives.
Microsoft is one of the trusted names when it comes to software. But even though the company can guarantee OneNote compliance, ensuring PHI protection and patient privacy still depends on your organization’s adherence to HIPAA best practices. It is equally critical to make your team aware of their responsibilities and obligations when handling sensitive health details.
