Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Azure & HIPAA HITECH Compliance: What You Should Know

Published on
3,550 Points
Last Modified:
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protecting Electronic Protected Health Information (EPHI).  Whether you view it as a positive or negative, the Federal Government has left the requirements of IT Security in HIPAA purposely vague.  The overarching guideline is to employ best practices based on the size of your organization.
For healthcare organizations looking to leverage Microsoft Azure for healthcare data in the cloud, Microsoft has published implementation guidance for adhering to HIPAA and HITECH on Azure (available here).  The guidance defines items in scope as: cloud services (both web and worker roll), Virtual Machines, Storage, Virtual Networks, Traffic Manager, Web Sites, BizTalk Services, Media Services, Mobile Services, Service Bus, Multi-Factor Authentication, Azure Active Directory, SQL Database and any other features identified on the Azure Trust Center.
However, there are some important things to know regarding Microsoft’s HIPAA guidelines for Azure:
The Business Associates Agreement: The guidelines include requirements for Microsoft to agree to sign a Business Associates Agreement (BAA).  A BAA is a common contract between a Healthcare Organization and a service provider with access to EPHI that transfers the risk in case of a breach to the service provider.  The guide is clear that Microsoft will only sign a BAA with customers who have purchased an Enterprise Agreement.  Microsoft also recommends in the document that customers should NOT (their emphasis, not mine) store or process EPHI in Azure outside of the BAA’s scope unless it is done in a way to render the EPHI unusable, unreadable or indecipherable so that the breach notification requirement of HIPAA and HITECH do not apply.
Your responsibility to safeguards: While Microsoft takes responsibility for the underlying platform, the customer is still responsible for their environment once the services have been provisioned.  So, what does this mean for you as the healthcare provider?  It means you still need to ensure you apply the applicable safe guards in your Azure environment as you would on-premise.  These include items like: Encryption of Data at rest, Encryption of Data in Transit, Least privileged access models, Data Preservation policies (DR, BC), Strong Authentication policies and defense in depth security strategies.
So what is a healthcare provider to do if they want to take advantage of Azure’s cloud platform all the while ensuring that the proper safeguards are in place? For some, that means involving a managed services cloud provider such as Concerto to design, advise and provide round-the-cloud management of these secured environments. Visit Concerto’s website for more information on fully-managed cloud services for HIPAA HITECH. To learn best practices regarding how to deploy these controls in an Azure Environment, follow Concerto Cloud Services on Twitter to be alerted on future blog posts on this topic.

By clicking you agree to the Terms of Use and Privacy Policy.
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Join & Write a Comment

Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month