The moment a lawyer saves their medical records in a way that unintentionally and without their consent uploads them to OneDrive, they have a pretty solid case to charge Microsoft for a HIPAA violation.
HIPAA doesn’t even require encryption. It’s considered “addressable”. They just require access be “closed”. You can be HIPAA compliant with just Windows login, event viewer, and notepad.
(Also HIPAA applies to healthcare providers. Adobe doesn’t need to follow HIPAA data protection, though they probably do because it’s so lax, just because you uploaded a PDF of a medical bill to their cloud.)
HIPAA applies to whichever entity consciously chooses to move/store data.
Generally, after a patient downloads a healthcare-related item, they are that entity - and as the patient, they have full control/decisions about where it goes, so they can’t violate their own HIPAA agreement even if they print it and scatter it to the wind.
BUT, if your operating system “decides” to upload that document without the user’s involvement, then Microsoft is that entity - and having not received conscious permission from the patient, would be in violation. It’s an entirely different circumstance if the user is always going through clear prompts, but their more recent OneDrive Backup goal has been extremely forceful and easy to accidentally turn on - even to the point of being hard to disable. As you said, encryption has nothing to do with it.
However I’ve got no sympathy for even a small business to use IT without someone configuring their system in a way that controls this. A lawyer of all people know that knowledge is worth something.
It is feasible to CHOOSE to use OneDrive and take all the proper precautions. We’re talking about home users getting OneDrive data uploaded without their consent through their “push assumed default”, and “giant popup, tiny cancel” setups.
The article you link only says it’s okay when using a OneDrive business plan together with a signed agreement.
You should be, if you’re in a work computer with privileged documents, controlling it with an appropriate level of care. No matter Linux or Windows. If you’re using home and defaults, you’ve failed no matter what.
Ah you’re thinking I’m reading your other comments to other people.
BTW HIPAA is for providers for their patients information handling. Once it’s in the person’s hands, it’s no longer under HIPPA and it no longer applies. If you decide to put your private medical information on a commercial advertisement board on a highway, and it’s not breaking laws to do with acceptable adcertisement (eg gore or smut) you’ll be able to do that to.
Basically theres no expectation for a individual person to adhere to HIPPA for their own personal information storage and it doesn’t apply.
My assumption with your lawyer comment, is this was a insurance or otherwise medical malpractice lawyer who might collect this information for their client cases, since without having client/patient requirements, HIPPA is irrelevant.
The moment a lawyer saves their medical records in a way that unintentionally and without their consent uploads them to OneDrive, they have a pretty solid case to charge Microsoft for a HIPAA violation.
HIPAA doesn’t even require encryption. It’s considered “addressable”. They just require access be “closed”. You can be HIPAA compliant with just Windows login, event viewer, and notepad.
(Also HIPAA applies to healthcare providers. Adobe doesn’t need to follow HIPAA data protection, though they probably do because it’s so lax, just because you uploaded a PDF of a medical bill to their cloud.)
HIPAA applies to whichever entity consciously chooses to move/store data.
Generally, after a patient downloads a healthcare-related item, they are that entity - and as the patient, they have full control/decisions about where it goes, so they can’t violate their own HIPAA agreement even if they print it and scatter it to the wind.
BUT, if your operating system “decides” to upload that document without the user’s involvement, then Microsoft is that entity - and having not received conscious permission from the patient, would be in violation. It’s an entirely different circumstance if the user is always going through clear prompts, but their more recent OneDrive Backup goal has been extremely forceful and easy to accidentally turn on - even to the point of being hard to disable. As you said, encryption has nothing to do with it.
https://www.hipaajournal.com/onedrive-hipaa-compliant/#
Totally feasible to use onedrive.
However I’ve got no sympathy for even a small business to use IT without someone configuring their system in a way that controls this. A lawyer of all people know that knowledge is worth something.
It is feasible to CHOOSE to use OneDrive and take all the proper precautions. We’re talking about home users getting OneDrive data uploaded without their consent through their “push assumed default”, and “giant popup, tiny cancel” setups.
The article you link only says it’s okay when using a OneDrive business plan together with a signed agreement.
You should be, if you’re in a work computer with privileged documents, controlling it with an appropriate level of care. No matter Linux or Windows. If you’re using home and defaults, you’ve failed no matter what.
We’re not talking about work computers. We’re talking about patients - end users who have downloaded documents from their doctor.
These people should not be blamed for using defaults, or for insecure actions happening from their inaction.
I said home computers multiple times and you again replied about work environments. You need to start paying attention.
Ah you’re thinking I’m reading your other comments to other people.
BTW HIPAA is for providers for their patients information handling. Once it’s in the person’s hands, it’s no longer under HIPPA and it no longer applies. If you decide to put your private medical information on a commercial advertisement board on a highway, and it’s not breaking laws to do with acceptable adcertisement (eg gore or smut) you’ll be able to do that to.
Basically theres no expectation for a individual person to adhere to HIPPA for their own personal information storage and it doesn’t apply.
My assumption with your lawyer comment, is this was a insurance or otherwise medical malpractice lawyer who might collect this information for their client cases, since without having client/patient requirements, HIPPA is irrelevant.