I'm just wondering if anyone has been able to get any information about running an application running on Azure that needs to be HIPAA compliant? It seems like from a technical perspective it can be made complaint. From a legal perspective, Microsoft
would have to be considered a covered entity and would require signing a business associate agreement.
Thanks Leo Lin, I think from the technical side, it can be made complaint. Just like with any system - one would have to probably put a few additional safeguards in place to make it HIPAA complaint. Before we can even do that though a business associate
agreement (BAA) between Microsoft and the Azure user / customer would have to be in place. I'm not sure - is there anyone there at Microsoft that knows about signing a BAA for HIPAA compliance?
Thanks Leo Lin, I think one could put together a HIPAA compliant system on Azure, however probably the first thing if there was a breach or an audit that would be asked is "Where is the data located, and is there a Business Associate Agreement (BAA) for
the hosting provider". With HIPAA each party that's handling the HIPAA protected data needs to sign a BAA. That case study is promising because it seems like there is someone there at Microsoft that can sign the BAA's.. I just need to find
out who we need to talk to. I know Microsoft is a very large company, so it's probably hard to know everyone and who to contact, but is there anyone you can point me to who could maybe talk to me about the BAA?
As of today, the Windows Azure services have not been certified as HIPAA compliant, so at this time, MSFT will not sign a BAA around Windows Azure. However, there has been rumors that we may hear announcements about additional certifications for the Windows
Azure platform in coming months so I would recommend you work closely with your local Microsoft account manager/representative to get the latest updates around HIPAA and BAA status.
Thanks Dave, I'll see what we can get done. :) I'm also checking into it as I'm not 100% certain that MSFT has agreed to signing a BAA when it comes to Windows Azure products (specifically compute/storag). The link you shared doesn't clearly state one
ay or the other and a whitepaper linked form there also doesn't clearly state it.
Thanks Dave - where did you find out the information about signing the BAA? I've been looking for this for a long time. I called and talked to a number of people at MS but nobody could point me in the right direction. With a signed BAA
you kind of tackled probably the biggest hurdle for complaince with Azure.
On a side note - at the last Azure webinar that was held showing the latest features, a moderator told us that they were working on HIPAA and PCI compliance and would be available soon. So it sounds like someone closer to the product knows more about
it - just need to find the right person.
Any info would be greatly appreciated, this would be a game changer for us if we could host on Azure.
announced in July 2012 that it's offering HIPAA BAA to customers and partners who need to build HIPAA compliant applications. More information on Windows Azure Trust Center
Proposed As Answer bysteveviWednesday, March 27, 2013 3:43 AM
Marked As Answer byRyan_HaWednesday, March 27, 2013 3:50 AM