Microsoft Business Associate Agreement
If your organization is a HIPAA Covered Entity, Business Associate, or subcontractor to either, and it creates, receives, maintains, or transmits electronic Protected Health Information (ePHI) via a covered Office 365, Dynamics 365, or Azure service, it will be necessary to enter into a Microsoft Business Associate Agreement.
Back in 2016, the Department of Health and Human Services (HHS) published an FAQ about whether a Cloud Service Provider could be considered a “conduit” for ePHI and thereby not qualify as a Business Associate. In the answer to the FAQ, HHS replied that Cloud Service Providers qualify as Business Associates because they have “persistent” access to ePHI (rather than “transient” access), even if ePHI is encrypted and the Cloud Service Provider does not have access to the decryption key.
Therefore, before an organization subject to HIPAA uses any cloud service (or any on-premises service that synchronizes via the cloud) to create, receive, maintain, or transmit ePHI, it is necessary to conduct due diligence on the vendor. If the vendor has appropriate measures in place to safeguard ePHI and agrees to comply with the requirements of the Security Rule, the organization must enter into a Business Associate Agreement with the vendor before the service is used.
If the vendor does not have measures in place to safeguard ePHI, if concerns exist about the vendor´s ability to comply with the Security Rule, or if the vendor will not enter into a Business Associate Agreement, it is a violation of HIPAA (sections §164.308(b) and §164.314(a)) if the service is used to create, receive, maintain, or transmit ePHI. Fines in excess of $1 million have been issued by HHS´ Office for Civil Rights to organizations that have violated this important area of compliance.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
What the Microsoft Business Associate Agreement Covers
For users of Office 365, Dynamics 365, and Azure, the good news is that Microsoft does have appropriate measures in place to safeguard ePHI, will agree to comply with the requirements of the Security Rule, and is prepared to enter into a Business Associate Agreement – however, only for certain services. This means that Covered Entities, Business Associates, and subcontractors need to ensure the service that want to use is covered by the Microsoft Business Associate Agreement.
The Office 365 services covered by the Microsoft Business Associate Agreement are limited to those in its commercial portfolio and Government Community Cloud (GCC). If a small organization is using a personal or family Microsoft account to create, receive, maintain, or transmit ePHI, it will be necessary to upgrade the account before Microsoft will enter into a Business Associate Agreement. The commercial and GCC services covered by the Microsoft Business Associate Agreement are:
For organizations using Dynamics 365 or Azure Cloud services, there is a long list of services covered by the Microsoft Business Associate Agreement. These are listed in Appendix A (commercial Azure services) and Appendix B (Government Azure services) of the Microsoft Azure Compliance Offerings guide (PDF). When referring to this guide, it is important to ensure you are referring to the most recent version, as the Azure portfolio can rapidly expand and frequently change.
What the Microsoft HIPAA Business Associate Agreement Says
The first thing organizations need to know about entering into a Business Associate Agreement with Microsoft is that the company will not sign a Covered Entity´s or Business Associate´s Business Associate Agreement. Covered Entities and Business Associate must sign the Microsoft Agreement which can be found in the Service Trust Portal if your organization has a commercial or GCC account with Microsoft (because it is necessary to log into the Portal).
The company states customers must sign the Microsoft HIPAA Business Associate Agreement (rather than Microsoft sign the customer´s Agreement) because it offers hyper-scale, multi-tenant cloud services that are standardized for all customers” and “services are operated in a consistent manner regardless of customer”. To address potential concerns about the content of Agreement, the company adds “Microsoft collaborated with a consortium of […] entities within healthcare to create a BAA that aligns with our hyper-scale cloud services and meets customer needs.”
Consequently, there are few surprises in the Microsoft HIPAA Business Associate Agreement – although it catches the eye that, although Microsoft will comply with requests for Accounting of Disclosures, the company is not required to respond to individuals´ ePHI access requests because Microsoft does not maintain ePHI in designated records sets. With regards to permitted uses and disclosures by Microsoft, we strongly recommend encrypting data before sending it to the cloud.
Further Information about Business Associate Agreements
If you would like further information about Business Associate Agreements before using a Microsoft service to create, receive, maintain, or transmit ePHI, you are invited to review our guide to HIPAA Business Associate Agreements. The guide covers topics such as what should be included in an Agreement, known issues with Agreements, and common Agreement failures. If, after reading the guide, you still have questions about entering into a Microsoft HIPAA Business Associate Agreement, you should seek professional compliance advice.
