Is Azure HIPAA Compliant?

Is Microsoft Azure HIPAA compliant? Can HIPAA covered entities use Microsoft Azure cloud services in compliance with HIPAA Rules?

A lot of healthcare organizations are looking to the cloud as a better way to offer some of their services. Indeed, many have already made the switch. While the cloud represents a number of improvements in efficiency and may lower expenditure, are cloud services HIPAA compliant?

There are no blanket restrictions on cloud services in HIPAA. Different HIPAA Rules may impose obligations that could impact the use of certain types of cloud services, especially in relation to services dealing with protected health information (PHI).

While searching for a cloud service provider, it is almost impossible to discount the three tech giants; Amazon, Google, and Microsoft. We have covered Amazon and Google’s offerings in previous posts, so today we will focus on Microsoft Azure. Is Microsoft Azure HIPAA compliant?

Is Microsoft Azure HIPAA compliant?

The first step in checking whether a cloud service can be used by a healthcare organization to deal with PHI is to check whether the host will accept to enter into a Business Associate Agreement (BAA) with the HIPAA covered entity.

HIPAA classes cloud service providers as business associates. Therefore, the provider has to assure covered entities that all necessary aspects of HIPAA’s Privacy and Security Rules have been thought of and addressed prior to PHI being used with the tool. The BAA serves as this assurance, and is the only HIPAA compliant means of receiving this assurance. It is a contract that explains each party’s duties and roles in relation to HIPAA. Even if the provider does not view PHI, a BAA still has to be put in place.

Microsoft Signs BAAs for Azure

Microsoft has signed BAAs covering Azure in the past. This doesn’t automatically mean that Azure is HIPAA compliant.

As we often say, HIPAA compliance is not dependant on the options and the platform – even the most well designed tool can be misused. Compliance is ultimately dependant on the users. It is up to the covered entity to check that cloud services are set up correctly.

Azure in itself is not compliant, but it can be configured and used in a HIPAA complaint way. It includes measures to protect information and control access, as well as other necessary features.

Access, Integrity, Audit, and Security Controls

Azure is accessed via a secure, encrypted VPN. All data stored, sent to, or received from Azure servers is protected by this encryption.

To meet HIPAA’s access control requirements, which limit access to PHI to authorized accounts, user permissions can be configured using Active Directory. Multi factor authentication is also possible. Access and access attempts are recorded and logged by Azure to allow for audits and tracking by administrators.

With all of this being said, is Azure HIPAA compliant? We must reiterate that although Microsoft Azure includes all of the required settings and controls to be HIPAA compliant, the responsibility falls to the covered entity to check that everything is set up correctly and that users are trained on the tool. Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services.