Healthcare companies are not forbidden by HIPAA to utilize cloud services. With cloud services, organizations are able to lessen their IT expenses; however, there are guidelines to adhere to prior to hosting cloud service to ensure the privacy and security of protected health information (PHI). Microsoft Azure is one of the cloud service platforms available on the market. Can healthcare companies use Azure? Is Azure HIPAA compliant?
Cloud service providers employed by healthcare companies are viewed as business associates under to HIPAA. Hence, there should be a signed business associate agreement (BAA) between the healthcare company and the cloud service provider. A BAA is an agreement which affirms the duties of the vendor with respect to HIPAA Rules. Additionally, prior to using the cloud service for storing, processing or sharing PHI, it provides reasonable assurances that the vendor will protect patient privacy and satisfy HIPAA security requirements.
Should healthcare companies like to use Azure, Microsoft is prepared to enter into a BAA. Nevertheless, that does not mean Azure is automatically HIPAA compliant. Covered entities need configure their deployments correctly. Azure isn’t HIPAA compliant by itself, but Microsoft does support HIPAA compliance. It is up to the covered entity to ensure that is the case.
Microsoft offers access and security controls detailed below to support HIPAA compliance:
- It uses a secure VPN for connecting to Azure
- It uses encryption for all data stored in its cloud
- Azure links with Active Directory allowing permissions to be set by user or user group to restrict those able to access PHI.
- Microsoft Azure logs access and maintains an audit trail. Administrators are able to see who attempted or gained access to PHI.
Microsoft will not be responsible for any HIPAA violation because of improper use of its services. The covered entity is accountable for making certain Azure is utilized appropriately. However, the necessary controls and features are in place, so Azure can be considered a HIPAA-compliant cloud platform.