Is Azure HIPAA Compliant?

Azure is Microsoft’s cloud services platform and it therefore has the potential to offer a lot to businesses, including businesses working in the healthcare arena, but is Azure compliant with the Health Insurance Portability and Accountability Act, known by most as HIPAA?

The benefits of the cloud, including aspects such as facilitated remote access, outsourcing of IT infrastructure and the potential for multiple backup copies of sensitive and business critical information to be stored off site, have attracted the attention of many healthcare organizations who may be wondering how these services fit in with their obligations under HIPAA.

Nothing under current HIPAA Rules prohibits HIPAA covered entities from using cloud service providers, but some extra attention is warranted when dealing with protected health information, PHI.

Google and Amazon, other well known giants in the information technology sector, also have cloud service offerings that bring their own unique advantages and drawbacks. Microsoft’s Azure is a contender which we will explore in more depth below.

Is Azure HIPAA compliant?

The first step to implementing or making use of a cloud service platform is to ensure that a sufficient business associate agreement (BAA) has been put in place with the service provider.

Certain types of service providers are exempt from this provision, but cloud services are not. The BAA between the healthcare organization or other HIPAA covered entity and the service provider must cover a number of areas and clearly assign roles, rights, and responsibilities to each party. The result must be a delivery of service that complies with all aspects of HIPAA and which does not put patient information at risk.

BAAs must always be in place before any PHI is uploaded or otherwise used with the platform or service. In the case of cloud service providers, whether or not the service provider access or uses the data is irrelevant to the necessity of a BAA under HIPAA rules. A BAA is always needed.

Microsoft are willing to enter into BAAs

This first hurdle is sometimes easier with larger companies as they often have standard BAAs, or are well-versed in providing BAAs to clients in the healthcare industry. Microsoft is no exception to this and will willingly enter into a BAA with a HIPAA covered entity. This does not mean, however, that all use of the software, service, or platform is now automatically HIPAA compliant.

Several subsequent steps must be taken to minimize risk. First of all, the correct settings of the service must be activated. Service platforms often provide a range of options to meet the needs of their clients and these are not always turned on by default. The HIPAA covered entity must ensure that all required elements are in place, even if service providers may offer advice or play a consultant role.

Secondly, staff must be trained to use the program correctly. Human error or malicious intent can lead to HIPAA violations. It must therefore always be kept in mind that a system, even a system from a reputable company like Microsoft which offers options for HIPAA compliance, does not guarantee that breaches will not occur.