Microsoft Azure and HIPAA HITECH compliance: What you should know

This blog was originally posted by Concerto Cloud Services. Since then, Concerto Cloud Services has become DXC Concerto, the mid-market cloud offering within DXC Technology.

Healthcare organizations in the United States must adhere to the guidance of both the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) for securing and protecting Electronic Protected Health Information (EPHI).  Whether you view it as a positive or negative, the federal government has left the requirements of IT security in HIPAA purposely vague. The overarching guideline is to employ best practices based on the size of your organization.

For healthcare organizations looking to leverage Microsoft Azure for healthcare data in the cloud, Microsoft has published implementation guidance for adhering to HIPAA and HITECH on Azure.  The guidance defines items in scope as: cloud services (both web and worker roll), Virtual Machines, Storage, Virtual Networks, Traffic Manager, Web Sites, BizTalk Services, Media Services, Mobile Services, Service Bus, Multi-Factor Authentication, Azure Active Directory, SQL Database and any other features identified on the Azure Trust Center.

However, there are some important things to know regarding Microsoft’s HIPAA guidelines for Azure.

The Business Associates Agreement: The guidelines include requirements for Microsoft to agree to sign a Business Associates Agreement (BAA). A BAA is a common contract between a healthcare organization and a service provider with access to EPHI that transfers the risk in case of a breach to the service provider. The guide is clear that Microsoft will only sign a BAA with customers who have purchased an enterprise agreement. Microsoft also recommends in the document that customers should NOT (their emphasis, not mine) store or process EPHI in Azure outside of the BAA’s scope unless it is done in a way to render the EPHI unusable, unreadable or indecipherable so that the breach notification requirement of HIPAA and HITECH do not apply.

Your responsibility to safeguards: While Microsoft takes responsibility for the underlying platform, the customer is still responsible for their environment once the services have been provisioned.  So, what does this mean for you as the healthcare provider? It means you still need to ensure you apply the applicable safe guards in your Azure environment as you would on-premises. These include items like: Encryption of Data at rest, Encryption of Data in Transit, Least privileged access models, Data Preservation policies (DR, BC), Strong Authentication policies and defense in depth security strategies.

So what is a healthcare provider to do if they want to take advantage of Azure’s cloud platform all the while ensuring that the proper safeguards are in place? For some, that means involving a managed services cloud provider such as Concerto to design, advise and provide round-the-cloud management of these secured environments.


Rob-Curls-headshotRob Curls is the Sales Solutions Advisor for DXC Concerto.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: