Go Premium for a chance to win a PS4. Enter to Win


Azure & HIPAA HITECH Compliance: What You Should Know

Published on
3,579 Points
Last Modified:
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protecting Electronic Protected Health Information (EPHI).  Whether you view it as a positive or negative, the Federal Government has left the requirements of IT Security in HIPAA purposely vague.  The overarching guideline is to employ best practices based on the size of your organization.
For healthcare organizations looking to leverage Microsoft Azure for healthcare data in the cloud, Microsoft has published implementation guidance for adhering to HIPAA and HITECH on Azure (available here).  The guidance defines items in scope as: cloud services (both web and worker roll), Virtual Machines, Storage, Virtual Networks, Traffic Manager, Web Sites, BizTalk Services, Media Services, Mobile Services, Service Bus, Multi-Factor Authentication, Azure Active Directory, SQL Database and any other features identified on the Azure Trust Center.
However, there are some important things to know regarding Microsoft’s HIPAA guidelines for Azure:
The Business Associates Agreement: The guidelines include requirements for Microsoft to agree to sign a Business Associates Agreement (BAA).  A BAA is a common contract between a Healthcare Organization and a service provider with access to EPHI that transfers the risk in case of a breach to the service provider.  The guide is clear that Microsoft will only sign a BAA with customers who have purchased an Enterprise Agreement.  Microsoft also recommends in the document that customers should NOT (their emphasis, not mine) store or process EPHI in Azure outside of the BAA’s scope unless it is done in a way to render the EPHI unusable, unreadable or indecipherable so that the breach notification requirement of HIPAA and HITECH do not apply.
Your responsibility to safeguards: While Microsoft takes responsibility for the underlying platform, the customer is still responsible for their environment once the services have been provisioned.  So, what does this mean for you as the healthcare provider?  It means you still need to ensure you apply the applicable safe guards in your Azure environment as you would on-premise.  These include items like: Encryption of Data at rest, Encryption of Data in Transit, Least privileged access models, Data Preservation policies (DR, BC), Strong Authentication policies and defense in depth security strategies.
So what is a healthcare provider to do if they want to take advantage of Azure’s cloud platform all the while ensuring that the proper safeguards are in place? For some, that means involving a managed services cloud provider such as Concerto to design, advise and provide round-the-cloud management of these secured environments. Visit Concerto’s website for more information on fully-managed cloud services for HIPAA HITECH. To learn best practices regarding how to deploy these controls in an Azure Environment, follow Concerto Cloud Services on Twitter to be alerted on future blog posts on this topic.

By clicking you agree to the Terms of Use and Privacy Policy.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Join & Write a Comment

As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month