Microsoft Azure is not HIPAA compliant by itself, but Microsoft will sign a business associate agreement for Azure and Azure includes safeguards that can support compliance with the HIPAA Privacy Rule and HIPAA Security Rule when a covered entity configures and uses the services appropriately, noting that not all Azure services are included in the business associate agreement.
Under HIPAA, cloud service providers are considered Business Associates. Before any protected health information is uploaded to a cloud service, a HIPAA Covered Entity must obtain satisfactory assurances that the service incorporates privacy and security safeguards that meet the requirements of the HIPAA Privacy Rule and HIPAA Security Rule. Those assurances are documented in a business associate agreement that describes the vendor’s responsibilities. The business associate agreement must be obtained before any cloud service is used for storing, processing, or sharing protected health information. The business associate agreement is required even if the service provider does not access customers’ data.
Microsoft is willing to sign a business associate agreement with healthcare organizations that covers Azure services. A signed business associate agreement does not mean a cloud platform is HIPAA compliant in all configurations. Compliance depends on how the services are used. A covered entity is responsible for selecting Azure services that are covered by the business associate agreement and for ensuring cloud instances are configured correctly.
Azure includes access, integrity, audit, and security controls that can be used to satisfy safeguard requirements. Microsoft provides a secure virtual private network connection to Azure so data uploaded to or downloaded from Azure is encrypted, and data stored in Azure cloud instances is encrypted. Azure supports access controls and uses Active Directory so permissions can be set, and multi-factor authentication can be added. Azure supports audit controls through detailed logging so administrators can see who accessed, and attempted to access, protected health information.
A HIPAA Covered Entity remains responsible for online HIPAA training on the organization’s approved use of Azure and for preventing the use of non-covered Azure services for protected health information. Microsoft does not accept responsibility for HIPAA violations caused by misuse of its services.