Healthcare organizations are not prohibited by HIPAA to use cloud services. Cloud services allow organizations to lower their IT costs. But there are rules to follow before any cloud service can be used to ensure the security and confidentiality of protected health information. One of the cloud service providers out there is Microsoft Azure. So we need to answer the question “Is Azure HIPAA compliant?”
Cloud services used by healthcare organizations are considered business associates under HIPAA Rules. So, there must be a signed business associate agreement (BAA) first between the two parties. BAA is a contract which states the responsibilities of the vendor (cloud service provider). Also, before storing, processing or sharing PHI using the cloud service, there must be satisfactory assurance that it meets appropriate privacy and security safeguard requirements.
When healthcare organizations want to use Azure, Microsoft is willing to sign a BAA. However, it doesn’t mean that Azure is already HIPAA compliant. For cloud platforms including Azure to be HIPAA compliant, they must be used in a way that does not violate HIPAA Rules. Covered entities are also responsible to configure its cloud settings correctly. Azure is not HIPAA compliant per se, but it supports HIPAA compliance as long as all required safeguards are satisfied.
Microsoft provides the following access and security controls for HIPAA compliance:
- A secure VPN to connect to Azure
- All data stored in its cloud are encrypted
- Azure uses Active Directory to set permissions including multi-factor authentication. This limits who can have access to PHI.
- Azure includes detailed logging for easy auditing. This allows administrators to see who accessed to tried to access PHI.
Since Azure has the needed safeguards to satisfy HIPAA Rules, Microsoft will not accept responsibility for HIPAA violations due to misuse of its services. The covered entity is responsible to make sure the service is used correctly. This is where the importance of well-trained staff comes in.