Microsoft Adds HIPAA Compliance Features to Azure for Cloud Health Data

 
 
By Brian T. Horowitz  |  Posted 2012-07-27 Email Print this article Print
 
 
 
 
 
 
 

Microsoft announced that the Windows Azure cloud platform allows customers to meet HIPAA regulations on business associate agreements.

Microsoft now offers business associate agreements (BAA) for Windows Azure Core Services under the Health Insurance Portability and Accountability Act (HIPAA), the company announced in a July 25 blog post.

Under the HIPAA Privacy rule, covered entities (a doctor, health insurance provider or health care clearing-house) must include a BAA for documentation when seeking access to protected health information (PHI).

"Microsoft is really ready now to stand up and be the trusted steward for covered entities," Dr. Mohamed Ayad, industry technical solution specialist for U.S. Health & Life Sciences at Microsoft, told eWEEK.

"PHI can reside safely in a Microsoft data center; now, we're extending that to cover Azure as well," said Ayad.

PHI includes anything that would identify a patient, such as an electronic health record or medical claim, he explained.

"In the past, one of the major concerns with moving that information to the cloud was how do we secure that data and make sure it's safe," said Ayad. "Now, a provider can put that data in Azure Core Services and be sure it's in a HIPAA-secure environment."

The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act made HIPAA more stringent by requiring organizations to publicly report health care data breaches.

In December, Microsoft announced that the Office 365 cloud office-productivity platform offers HIPAA-compliant capabilities for users, and earlier this year, it also introduced a BAA for its Dynamics customer-relationship management software.

Microsoft will offer BAA agreements in Azure for Web and worker roles in Cloud Services as well as tables, queues and binary large objects (BLOBS), which store unstructured data, such as video, audio and images.

Companies also can obtain BAAs for infrastructure as a service (IaaS) virtual machines and Windows Azure Connect, a machine-to-machine link between Azure and on-premise database servers and domain controllers.

Other parts of Azure getting BAA functionality include Traffic Manager, a load-balancing tool for multiple hosted Windows Azure services, and Virtual Network, which allows organizations to provision and manage virtual private networks (VPNs).

By creating a BAA for Azure, health care organizations can now create both a public cloud as well as hybrid setup, in which they'd store data in both a public cloud and on-premise in a private cloud.

"Security and privacy is at the core of how we develop our software," said Ayad. "This is the next major milestone on our compliance road map." The security development lifecycle of Azure will map directly to HIPAA controls, he said.

Although Azure provides doctors, health plans and other "covered entities" with HIPAA compliance capabilities, organizations will still need to make sure their use of the platform complies with the regulations, according to Ayad.

"Covered entities understand that compliance will be on them," said Ayad. "We have to provide the tools to support the compliance."

Microsoft incorporated support for BAAs in Azure by tweaking existing security controls in the platform and by adding additional controls, the company reported.

The company developed the BAA for Azure in consultation with providers, government officials, academic medical centers and large health plans, according to Ayad.

"This is really an industry-developed business associate agreement to make sure that when we implemented these safeguards and we capped it off with the business associate agreement, it would be acceptable to the industry and allow them to be safe and secure," he said.

Editor's note: This story has been updated to clarify Windows Azure's capabilities in allowing users to become HIPAA-compliant.

 
 
 
 
Brian T. Horowitz is a freelance technology and health writer as well as a copy editor. Brian has worked on the tech beat since 1996 and covered health care IT and rugged mobile computing for eWEEK since 2010. He has contributed to more than 20 publications, including Computer Shopper, Fast Company, FOXNews.com, More, NYSE Magazine, Parents, ScientificAmerican.com, USA Weekend and Womansday.com, as well as other consumer and trade publications. Brian holds a B.A. from Hofstra University in New York.

Follow him on Twitter: @bthorowitz

 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel