Does Azure comply with HIPAA? Can Microsoft’s cloud services be implemented by HIPAA covered bodies without breaching HIPAA Rules?
Many healthcare groups are considering shifting some of their services to the cloud, and a large number already have. The cloud provides significant benefits and can help healthcare groups lower their IT costs, but what about HIPAA?
HIPAA does not forbid healthcare groups from using cloud services; however, it does place certain blocks on the services that can be implemented, at least in relation to protected health information.
Most healthcare groups will consider the three main providers of cloud services. Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
Does Azure comply with HIPAA?
Prior to any cloud service being implemented by healthcare groups, they must complete a business associate agreement with the service provider.
Under HIPAA legislation, cloud service providers are categorized as business associates. Before any PHI can be moved to the cloud, HIPAA-covered bodies must obtain satisfactory assurances that the service includes all the proper privacy and security measures to meet the requirements of the HIPAA Privacy and Security Rules.
Those assurances are provided in a business associate agreement – basically a contract with a vendor in which the responsibilities of the vendor are outlined. The BAA must be completed before any cloud service can be implemented for storing, processing, or sharing PHI. It does not matter is the service supplier does not access customers’ data. A BAA is still obligatory.
Microsoft will Complete a BAA for Azure
Microsoft has made provision to sign a BAA with healthcare groups that covers Azure*, so does that make Azure HIPAA compliant?
Sadly, it is not that easy. No cloud platform can be completely HIPAA compliant. Cloud HIPAA compliance less about platforms and security controls and more about how those services are used. Even a cloud service such as Azure can be used in a way that breaches HIPAA Rules. It is the responsibility of the covered body to ensure cloud instances are configured correctly.
So Azure cannot be categorized as HIPAA compliant per se, but it does adhere to HIPAA and includes all the necessary safeguards to ensure HIPAA requirements can be respected.
Access, Integrity, Audit and Security Measures
Microsoft has in place a secure VPN to connect to Azure, so any data placed on, or downloaded from, Azure is encrypted and all data stored in its cloud instances are encrypted.
HIPAA requires access controls to be put in place to restrict who can access the PHI. Azure offers these security measures and uses Active Directory to allow permissions to be set. Multi-factor authentication can also be utilized.
Audit controls are also obligatory for HIPAA compliance. Azure includes detailed logging, so administrators have visibility to see who accessed or tried to access PHI.
So, can Azure be deemed as HIPAA compliant? Basically Azure can be implemented in a manner that meets HIPAA Rules, but remember that it is the responsibility of the covered body to make sure the service is set up and used properly and staff are guided on its use. Microsoft will accept no responsibility for HIPAA breaches that occur due to the misuse of its services.
*Remember all Azure services are incorporated in the BAA. Click here for up-to-date details.