Azure HIPAA

Question

Hello, I know this has been covered before, but I found a webpage on Microsoft's website about cloud services that are HIPAA compliant.  I just can't get ahold of anyone who knows anything about it.

http://www.microsoft.com/health/en-us/initiatives/Pages/cloud-services-for-health.aspx

I'm just wondering if anyone has been able to get any information about running an application running on Azure that needs to be HIPAA compliant?  It seems like from a technical perspective it can be made complaint.  From a legal perspective, Microsoft would have to be considered a covered entity and would require signing a business associate agreement.

Thanks.

Answer 1

Hi,

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay.
 
Appreciate your patience.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 2

Great, thanks so much Arwind, I really appreciate it.

Answer 3

Windows Azure platform/SQL Azure is not HIPAA Compliant. But we can create a HIPAA-compliant solution using Azure.

The application using Azure can take steps to ensure it does meet HIPAA standards.

For example: We can leverage the third party provider to accept the payment and ensure the  HIPAA-compliant.

Leo Lin

Answer 4

Thanks Leo Lin, I think from the technical side, it can be made complaint. Just like with any system - one would have to probably put a few additional safeguards in place to make it HIPAA complaint.  Before we can even do that though a business associate agreement (BAA) between Microsoft and the Azure user / customer would have to be in place.  I'm not sure - is there anyone there at Microsoft that knows about signing a BAA for HIPAA compliance?

Thanks again for your help.

Answer 5

You may check the real case

http://www.microsoft.com/en-us/news/press/2012/mar12/03-20PaperTracerPR.aspx

thanks

Leo Lin

Answer 6

Thanks Leo Lin, I think one could put together a HIPAA compliant system on Azure, however probably the first thing if there was a breach or an audit that would be asked is "Where is the data located, and is there a Business Associate Agreement (BAA) for the hosting provider".  With HIPAA each party that's handling the HIPAA protected data needs to sign a BAA.  That case study is promising because it seems like there is someone there at Microsoft that can sign the BAA's..  I just need to find out who we need to talk to.  I know Microsoft is a very large company, so it's probably hard to know everyone and who to contact, but is there anyone you can point me to who could maybe talk to me about the BAA?

Thanks again Leo Lin.

Answer 7

As of today, the Windows Azure services have not been certified as HIPAA compliant, so at this time, MSFT will not sign a BAA around Windows Azure. However, there has been rumors that we may hear announcements about additional certifications for the Windows Azure platform in coming months so I would recommend you work closely with your local Microsoft account manager/representative to get the latest updates around HIPAA and BAA status.

That said, my firm has done delivery of several solutions for firms in and around the health care industry so we have some experience around managing HIPAA compliance as it relates to Windows Azure specifically and cloud in general. The most visible examples of this are our work for and promotional materials with CGX and our published whitepaper on HIPAA guidance for Windows Azure.

Answer 8

Great, thanks so much Brent, yeah if you hear anything on the HIPAA certification - please post back - I think there are others that are interested as well.

The Whitepaper you sent a link to is great, thanks so much for posting that too.

Thanks again Brent.

Answer 9

Hi Brent, apparently this has changed and would love to see your updated take on this since now MSFT will sign a HIPAA related BAA (there is not such thing as HIPAA certified, only HIPAA compliant).

http://www.microsoft.com/health/en-us/initiatives/pages/cloud-services-for-health.aspx

And would especially like to see an update of this

http://www.us.sogeti.com/what-we-do/PDF/HIPAA-in-the-Cloud-Whitepaper-Sogeti-v1.2.pdf

which would convince anyone to not even try since you can't search for or lookup encrypted data with SQL Server very easy by never handling "unencrypted" data as they say.

- Dave

Answer 10

Thanks Dave, I'll see what we can get done. :) I'm also checking into it as I'm not 100% certain that MSFT has agreed to signing a BAA when it comes to Windows Azure products (specifically compute/storag). The link you shared doesn't clearly state one ay or the other and a whitepaper linked form there also doesn't clearly state it.

Answer 11

Thanks Dave - where did you find out the information about signing the BAA?  I've been looking for this for a long time.  I called and talked to a number of people at MS but nobody could point me in the right direction.  With a signed BAA you kind of tackled probably the biggest hurdle for complaince with Azure.

On a side note - at the last Azure webinar that was held showing the latest features, a moderator told us that they were working on HIPAA and PCI compliance and would be available soon.  So it sounds like someone closer to the product knows more about it - just need to find the right person.

Any info would be greatly appreciated, this would be a game changer for us if we could host on Azure.

Thanks

Answer 12

Windows Azure announced in July 2012 that it's offering HIPAA BAA to customers and partners who need to build HIPAA compliant applications.  More information on Windows Azure Trust Center compliance page.