HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Microsoft Office 365 Achieves Top Rating for HIPAA Compliance

Microsoft Office 365 cloud services for the healthcare industry has recently achieved the highest possible HITRUST CSF rating – achieving a maximum score of five – in a certification review of its security and privacy controls initiated by Centura Health.

The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is a scalable, prescriptive and certifiable framework specific to healthcare organizations. It was designed with the aim of speeding up the process of vetting organizations and assessing multiple certification standards as part of a plan to move data to the cloud.

The CSF includes an assessment and certification process that simplifies the management of multiple standards – HIPAA, HITECH, PCI, COBIT, NIST and FTC – and assesses the level of “maturity” an organization or potential Business Associate has for particular security requirements.

The HITRUST CSF was based on the Program Review for Information Security Management Assistance (PRISMA) – the National Institute of Standards and Technology’s Computer Security Division’s NISTIR 7358 standard. As is the case with NISTIR 7358, an organization must be able to demonstrate five levels of maturity for each specific security requirement under test. By using the assessment healthcare providers can speed up the process of monitoring and selection BAs for compliance with industry regulations.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Many healthcare organizations have already adopted the HITRUST CSF including Health Care Service Corporation, Anthem Inc., Hospital Corporation of America, Highmark Inc., IMS Health, UnitedHealth Group, Blue Cross Blue Shield of Massachusetts and Centura Health. These healthcare providers and insurers use the reports produced by certified HITRUST assessors to help them decide on which BAAs to use and to ensure continued compliance in the cloud.

The top security rating achieved by Microsoft Office 365 lead was one of the main reasons why Centura choose the company and its cloud services to serve its 15 hospitals and 18,000 staff.

According to a statement released by Centura Health’ Director of Data Security, Kris Kistler, “For Centura Health, it is important that our business partners are securing our information to the same standards that we adhere to,” He went on to say “We believe that the HITRUST Common Security Framework (CSF) is the most comprehensive security framework available.”

This achievement shows that Microsoft is committed to implementing the strict security standards required by HIPAA and other regulations and is further evidence that the company is using HIPAA Security Rules as a minimum standard.

This is not the only standard the company has achieved. Microsoft was one of the first providers of cloud services to offer HIPAA-covered entities(CE) a HIPAA Business Associate Agreement (BAA), which it co-developed with the healthcare industry to ensure full compliance with industry regulations.

It was also the first provider of cloud services to adopt the world’s first international standard for cloud privacy known as ISO 27018. ISO 27018 was developed by the International Organization for Standardization with the intention of developing a more uniform approach to protecting privacy for personal data stored in the cloud.

Microsoft is certainly showing that it is committed to protecting data and ensuring it remains private and confidential, while allowing healthcare organizations to streamline their services and improve productivity by moving to the cloud.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.