HIPAA Compliance and Microsoft Azure

Does Azure comply with HIPAA? Can Microsoft’s cloud services be implemented by HIPAA covered bodies without breaching HIPAA Rules?

Many healthcare groups are considering shifting some of their services to the cloud, and a large number already have. The cloud provides significant benefits and can help healthcare groups lower their IT costs, but what about HIPAA?

HIPAA does not forbid healthcare groups from using cloud services; however, it does place certain blocks on the services that can be implemented, at least in relation to protected health information.

Most healthcare groups will consider the three main providers of cloud services. Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

Does Azure comply with HIPAA?

Prior to any cloud service being implemented by healthcare groups, they must complete a business associate agreement with the service provider.

Under HIPAA legislation, cloud service providers are categorized as business associates. Before any PHI can be moved to the cloud, HIPAA-covered bodies must obtain satisfactory assurances that the service includes all the proper privacy and security measures to meet the requirements of the HIPAA Privacy and Security Rules.

Those assurances are provided in a business associate agreement – basically a contract with a vendor in which the responsibilities of the vendor are outlined. The BAA must be completed before any cloud service can be implemented for storing, processing, or sharing PHI. It does not matter is the service supplier does not access customers’ data. A BAA is still obligatory.

Microsoft will Complete a BAA for Azure

Microsoft has made provision to sign a BAA with healthcare groups that covers Azure*, so does that make Azure HIPAA compliant?

Sadly, it is not that easy. No cloud platform can be completely HIPAA compliant. Cloud HIPAA compliance less about platforms and security controls and more about how those services are used. Even a cloud service such as Azure can be used in a way that breaches HIPAA Rules. It is the responsibility of the covered body to ensure cloud instances are configured correctly.

So Azure cannot be categorized as HIPAA compliant per se, but it does adhere to HIPAA and includes all the necessary safeguards to ensure HIPAA requirements can be respected.

Access, Integrity, Audit and Security Measures

Microsoft has in place a secure VPN to connect to Azure, so any data placed on, or downloaded from, Azure is encrypted and all data stored in its cloud instances are encrypted.

HIPAA requires access controls to be put in place to restrict who can access the PHI. Azure offers these security measures and uses Active Directory to allow permissions to be set. Multi-factor authentication can also be utilized.

Audit controls are also obligatory for HIPAA compliance. Azure includes detailed logging, so administrators have visibility to see who accessed or tried to access PHI.

So, can Azure be deemed as HIPAA compliant? Basically Azure can be implemented in a manner that meets HIPAA Rules, but remember that it is the responsibility of the covered body to make sure the service is set up and used properly and staff are guided on its use. Microsoft will accept no responsibility for HIPAA breaches that occur due to the misuse of its services.

*Remember all Azure services are incorporated in the BAA. Click here for up-to-date details.

About Patrick Kennedy 619 Articles
Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile: https://www.linkedin.com/in/pkkennedy/