Microsoft Adds HIPAA Compliance Features to Azure for Cloud Health Data

Microsoft now offers business associate agreements (BAA) for Windows Azure Core Services under the Health Insurance Portability and Accountability Act (HIPAA), the company announced in a July 25 blog post.

Under the HIPAA Privacy rule, covered entities (a doctor, health insurance provider or health care clearing-house) must include a BAA for documentation when seeking access to protected health information (PHI).

“Microsoft is really ready now to stand up and be the trusted steward for covered entities,” Dr. Mohamed Ayad, industry technical solution specialist for U.S. Health & Life Sciences at Microsoft, told eWEEK.

“PHI can reside safely in a Microsoft data center; now, we’re extending that to cover Azure as well,” said Ayad.

PHI includes anything that would identify a patient, such as an electronic health record or medical claim, he explained.

“In the past, one of the major concerns with moving that information to the cloud was how do we secure that data and make sure it’s safe,” said Ayad. “Now, a provider can put that data in Azure Core Services and be sure it’s in a HIPAA-secure environment.”

The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act made HIPAA more stringent by requiring organizations to publicly report health care data breaches.

In December, Microsoft announced that the Office 365 cloud office-productivity platform offers HIPAA-compliant capabilities for users, and earlier this year, it also introduced a BAA for its Dynamics customer-relationship management software.

Microsoft will offer BAA agreements in Azure for Web and worker roles in Cloud Services as well as tables, queues and binary large objects (BLOBS), which store unstructured data, such as video, audio and images.

Companies also can obtain BAAs for infrastructure as a service (IaaS) virtual machines and Windows Azure Connect, a machine-to-machine link between Azure and on-premise database servers and domain controllers.

Other parts of Azure getting BAA functionality include Traffic Manager, a load-balancing tool for multiple hosted Windows Azure services, and Virtual Network, which allows organizations to provision and manage virtual private networks (VPNs).

By creating a BAA for Azure, health care organizations can now create both a public cloud as well as hybrid setup, in which they’d store data in both a public cloud and on-premise in a private cloud.

“Security and privacy is at the core of how we develop our software,” said Ayad. “This is the next major milestone on our compliance road map.” The security development lifecycle of Azure will map directly to HIPAA controls, he said.

Although Azure provides doctors, health plans and other “covered entities” with HIPAA compliance capabilities, organizations will still need to make sure their use of the platform complies with the regulations, according to Ayad.

“Covered entities understand that compliance will be on them,” said Ayad. “We have to provide the tools to support the compliance.”

Microsoft incorporated support for BAAs in Azure by tweaking existing security controls in the platform and by adding additional controls, the company reported.

The company developed the BAA for Azure in consultation with providers, government officials, academic medical centers and large health plans, according to Ayad.

“This is really an industry-developed business associate agreement to make sure that when we implemented these safeguards and we capped it off with the business associate agreement, it would be acceptable to the industry and allow them to be safe and secure,” he said.

Editor’s note: This story has been updated to clarify Windows Azure’s capabilities in allowing users to become HIPAA-compliant.