Many healthcare groups are choosing to move some of their services to the cloud, and a large number have already done so. The cloud provides many benefits and can help healthcare organizations lower their IT costs, but what about HIPAA?
HIPAA does not forbid healthcare groups from using cloud services; however, it does place certain restrictions on the services that can be used, at least as far as protected health information is concerned.
Most healthcare groups will consider the three main providers of cloud services. Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Is Azure HIPAA compliant?
Is Azure Compliant with HIPAA Regulations?
Before any cloud service can be used by healthcare groups, they must first enter into a business associate agreement with the service provider.
Under HIPAA Rules, cloud service providers are referred to as business associates. Before any PHI can be uploaded to the cloud, HIPAA-covered entities must obtain satisfactory assurances that the service uses all the appropriate privacy and security safeguards to meet the obligations of the HIPAA Privacy and Security Rules.
Those assurances come in a business associate agreement – essentially a signed contract with a vendor in which the responsibilities of the vendor are outlined. The BAA must be obtained before any cloud service can be used for saving, processing, or sharing PHI. It does not matter is the service provider does not obtain customers’ data. A BAA is still required.
Microsoft Will Complete a BAA for Azure
Microsoft is willing to complete a BAA with healthcare groups that covers Azure*, so does that make Azure HIPAA compliant?
Unfortunately, it is not that easy. No cloud platform can be entirely HIPAA compliant. Cloud HIPAA compliance is not so much about platforms and security controls, but how those services are implemented. Even a cloud service such as Azure can easily be used in a way that does not comply with HIPAA Rules. It is the responsibility of the covered entity to ensure cloud instances are configured appropriately.
So Azure is not HIPAA compliant as such, but it does support HIPAA compliance, and incorporates all the required safeguards to ensure HIPAA requirements can be satisfied.
Access, Integrity, Audit and Security Utilities
Microsoft makes available a secure VPN to connect to Azure, so any data uploaded to, or installed using, Azure is encrypted and all data stored in its cloud instances are encrypted.
HIPAA requires access controls to be enabled to restrict who can access to PHI. Azure offers these controls and uses Active Directory to allow permissions to be set. Multi-factor authentication can also be added.
Audit controls are also required for HIPAA compliance. Azure includes detailed logging, so administrators can view who accessed, tried to access PHI.
So, are Azure cloud services HIPAA compliant? Azure can be used in a way that complies with HIPAA Rules, but note that it is the responsibility of the covered entity to ensure the service is set up and used appropriately and staff are trained on its use. Microsoft will accept no liability in relation to HIPAA violations caused as a result of the improper use of its services.
*Not all Azure services are incorporated in the BAA. See here for up-to-date details.