Overview
OneDrive is a powerful tool for file storage, collaboration, and secure sharing. However, if you have access to sensitive information, folders, or files stored in OneDrive, you are responsible for ensuring that access permissions comply with applicable legal and regulatory requirements — such as HIPAA, FERPA, and other privacy standards.
Your Responsibilities as a Data Owner
- Review Permissions Regularly: Ensure that folders and files are only accessible to individuals who are authorized to view or use the information.
- Limit Access Appropriately: Set permissions to restrict content sharing to approved users only.
- Protect Privacy: Confirm that shared data does not violate privacy obligations or expose sensitive information to unauthorized parties.
Guidance
Please review the following topics to ensure your data is secure
OneDrive is available both as a personal consumer product and as an enterprise solution. If you have a personal OneDrive account, be mindful not to use it inadvertently while working.
To ensure proper data handling and compliance with university policies:
- Always select the OneDrive – The University of Oregon account when saving, accessing, or sharing work-related files.
- Avoid using personal OneDrive accounts for any university-related documents or collaboration.
Using the correct account helps protect institutional data and ensures alignment with privacy, security, and compliance standards.
By separating your files, you will more easily identify files that need to be maintained or shared more securely due to the nature of their content
Sharing files too broadly in OneDrive can lead to security incidents and compliance violations (e.g., HIPAA, FERPA,GDPR).
- Only share with individuals who are authorized and need access.
- Avoid using links like Anyone with the link can edit or Anyone within The University of Oregon can edit.
These options do not protect confidential or highly confidential data from unauthorized access.
Always verify sharing settings before sending links to ensure data privacy and regulatory compliance.
Only grant access to people who are authorized to view it!
- Individual files, as well as folders, can be shared with other users or with groups of users. When you share a file or folder, you can also specify what the user can do — e.g., edit, view only, block download. If you share a folder, the permissions granted will apply to every file within that folder unless they are specifically changed.
- Files can be shared as attachments to emails, or you can send a link to the file location in OneDrive.
- Do not set a link to “Anyone with the link” because it will work for anyone that you send the link to AND anyone they forward the link to, etc. Understanding this sharing/permission hierarchy will help you to ensure that your file/folder sharing is appropriately controlled.
There are several ways to access OneDrive, e.g., Mobile device, web browser, OneDrive App, or within a Microsoft Product. The method and options available for sharing are very similar.
Please look on the right side of this article to find the "Related Articles" Section. Articles for how to share using various OneDrive Clients are listed. Please keep in mind:
To share using the web client:
- From the list of files/folders in OneDrive, select the folder or file you want to share
- Click the three dots to the right of the file name
- From the menu, select Share. The next screen looks like this:
- Begin typing the name of the person you'd like to add and then select them from the list.
- The default permission is People you specify can edit. If you click the cog in the Copy Link button, you can change not only the permissions you are granting, but also who the link will work for:
- Specific People is the most restrictive type of access link since it will only work for the specific people that you add. This is the proper method for sharing moderate risk or high risk data.
- Do not set a link to Anyone with the link can edit or view because it will work for anyone that you send the link to, anyone they forward the link to, etc.
- Please also note that you can set a link expiration. The Information Security Office strongly recommends that you set an expiration date. This prevents access to the data after a certain time. The link expiry settings are covered by the Can edit permissions drop down menu:
Periodically review who a file or folder has been shared with, particularly for older files and files that are subject to external regulation (e.g. HIPAA, FERPA, GLBA, or GDPR). It is a good way of making sure that the file continues to be shared appropriately and meets expectations for protecting data. You can check these permissions by:
- Selecting the folder or file you want to review
- Click the three dots to the right of the file name
- From the drop-down menu, select Manage access
- Review the resulting screen to see individuals and groups with access.
- In the image below, you can see that there are three sections to look at how the item has been shared: People, Groups, and Links.
- The Image below shows the "Links" sections and three types of links have been generated — Anyone with the link can edit, People you specify can edit, and People you specify can view.
- For each list, you can see who has been given the link (click “Anyone with the link can edit” to see a list of users for that link type.)
- From this screen, you may do several things
- Share with new users by clicking Share in the top left corner of the screen, then following the How to Share instructions above.
- Remove access for any user by clicking the "X" to the right of their name or email address
- Remove an entire link type by clicking the three dots to the right of the link name and then clicking the X to the right of the link name on the following screen
NOTE: If you remove a link type, it will automatically remove access for everyone who uses that link.
- If you had generated a link allowing Anyone with the link can edit, for example, and then discovered during a review that it was being used by several people (some appropriately; some not), removing the link will remove access for all users.
- For appropriate users to continue to have access, you will need to re-share access using a different type of link (e.g., People you specify can edit) and then remove the Anyone with the link can edit link.
In order to perform a secure deletion of data in OneDrive, the user must first delete the file in their OneDrive account, then they must empty the recycle bin.
Steps to Securely Delete Files
Delete files from the cloud
- Go to the OneDrive Website or open the OneDrive folder on your computer.
- Select the files or folders you wish to delete
- Click the Delete button, which will move them to the Recycle Bin.
Empty the Recycle Bin
- Navigate to the Recycle Bin on the OneDrive website.
- Select Empty Recycle Bin or choose individual items and then click Delete.
- Confirm the action to permanently delete item from OneDrive and all connected devices.
HIPAA compliance in OneDrive
Microsoft has entered into a Business Associate Agreement (BAA) with the university and OneDrive for Business has been configured for HIPAA compliance. You are still responsible for ensuring that your data is stored and shared securely. The above information can help ensure you are secure. If you have any questions about how to store data securely, please either request a consultation with the Information Security Office (using the service offering located on the left had side of this page) or by sending email the Information Security Risk and Compliance Team at isrc@uoregon.edu.
The Information Security Office strongly recommends that all University of Oregon HIPAA covered entities create documentation stating how the department or unit will be using OneDrive with HIPAA Data. This documentation would be solely for the internal purposes of the department or unit, e.g., user guides, processes, and procedures.
In addition to the above, the following measures can also help ensure HIPAA Compliance:
- Ensure files have proper ownership: Remove file access prior to users leaving the university and ensure that ownership has been transferred to another individual as appropriate. Remember, a user's OneDrive is deleted when they leave the university. The length of time that a OneDrive is retained is based on the user's affiliation with the university. Check out the Technology Access Timelines article for more information on how long services are retained once someone has left the university (OneDrive is part of Office 365 in that article).
- Manage Files: recover or permanently delete files from the recycle bin depending on your department’s specific retention requirements.
- Perform periodic access reviews: Review access permissions on a set timeline for sensitive information (every 30 days, every month, etc.)
References and Further Reading
Microsoft Support Articles for OneDrive
Glossary of Terms
- FERPA is the Family Educational Rights and Privacy Act, a federal law enacted in 1974 that protects the privacy of student education records at schools that receive funds from the U.S. Department of Education.
- GDPR is the General Data Protection Regulation, a comprehensive European Union law enacted in 2018 that sets strict rules for how organizations collect, process, and store personal data of individuals ("natural persons") within the European Economic Area.
- GLBA is the Gramm-Leach-Bliley Act, a U.S. federal law that requires financial institutions to protect the privacy, security, and confidentiality of consumers' non-public personal information.
- HIPAA - is the the Health Insurance Portability and Accountability Act, a US federal law enacted in 1996. It primarily aims to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
- Sensitive Data - is data at the University of Oregon that has been classified as moderate risk or high risk, according to the Information Asset Classification & Management policy. Examples of data that has been classified may be found in the Data Security Classification Table (a sign in is required to access this resource).