Share this article on:
Is Azure HIPAA compliant? Can Microsoft’s cloud services be used by HIPAA covered entities without violating HIPAA Rules?
Many healthcare organizations are considering moving some of their services to the cloud, and a large percentage already have. The cloud offers considerable benefits and can help healthcare organizations lower their IT costs, but what about HIPAA?
HIPAA does not prohibit healthcare organizations from taking advantage of cloud services; however, it does place certain restrictions on the services that can be used, at least as far as protected health information is concerned.
Most healthcare organizations will consider the three main providers of cloud services: Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. We have already covered AWS HIPAA compliance here, but what about Azure? Is Azure HIPAA compliant?
Is Azure HIPAA Compliant?
Before any cloud service can be used by healthcare organizations, they must first enter into a business associate agreement with the service provider.
Under HIPAA Rules, cloud service providers are considered business associates. Before any PHI can be uploaded to the cloud, HIPAA-covered entities must obtain satisfactory assurances that the service incorporates all the appropriate privacy and security safeguards to meet the requirements of the HIPAA Privacy and Security Rules.
Those assurances come in the form of a business associate agreement – essentially a contract with a vendor in which the responsibilities of the vendor are explained. The BAA must be obtained before any cloud service can be used for storing, processing, or sharing PHI. It does not matter is the service provider does not access customers’ data. A BAA is still required.
Microsoft Will Sign a BAA for Azure
Microsoft is willing to sign a BAA with healthcare organizations that covers Azure*, so does that make Azure HIPAA compliant?
Unfortunately, it is not that simple. No cloud platform can be truly HIPAA compliant. Cloud HIPAA compliance is not so much about platforms and security controls, but how those services are used. Even a cloud service such as Azure can easily be used in a way that violates HIPAA Rules. It is the responsibility of the covered entity to ensure cloud instances are configured correctly.
So Azure is not HIPAA compliant per se, but it does support HIPAA compliance, and incorporates all the necessary safeguards to ensure HIPAA requirements can be satisfied.
Access, Integrity, Audit and Security Controls
Microsoft provides a secure VPN to connect to Azure, so any data uploaded to, or downloaded from, Azure is encrypted and all data stored in its cloud instances are encrypted.
HIPAA requires access controls to be implemented to limit who can access to PHI. Azure offers these controls and uses Active Directory to allow permissions to be set. Multi-factor authentication can also be added.
Audit controls are also necessary for HIPAA compliance. Azure includes detailed logging, so administrators can see who accessed, attempted to access PHI.
So, is Azure HIPAA compliant? Azure can be used in a way that satisfies HIPAA Rules, but note that it is the responsibility of the covered entity to ensure the service is configured and used correctly and staff are trained on its use. Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services.
*Not all Azure services are included in the BAA. See here for up-to-date information.