none
Is Windows Azure HIPAA Compliant?

    Question

  • Hello,

    I have found a few topics which talk about HIPAA compliance but lead nowhere so I decided to create a new thread.

    I am developing a ASP.NET MVC application which I plan to host on Windows Azure and transmit data over SSL This system will have it's own user and role management. (No openID or windows Live)

    The system will be using SQL Azure to store the patient records and authenticate users. Can someone please tell me the following:

    1 - Is the transmission of the data between Windows Azure and SQL Azure encrypted?
    2 - Are there any safeguards in place at the Windows Data Centers that comply to the Required HIPAA standards?
    3 - Are there any good resources available for reading about Windows Azure/SQL Azure security?

    Thank you

    Monday, August 16, 2010 4:29 PM

Answers

  • Thank you Brent,

    For those who are interested, I've done my research and contacted several prominent hosting data centers and got their opinion. Essentially, the answer is don't do it. As of 8/17/2010 it's a very difficult task of running a HIPAA compliant application which stores and transmits PHI in the cloud due to the shared nature of the environment. HIPAA is also not only about privacy and security but also accountability. You will need to keep a log of all the resources which are accessing your servers so that in case of a breach, you can provide the details to the auditors.

    There are several hosting providers who will set up a HIPAA compliant environment for you and sign a reasonable BAA (Business Associate Agreement) which is very convenient when it's time for an audit. The only downfall is that dedicated hosting will cost you more but the good news is that these providers are hosting in a VM environment which allows for easy scaling and can have you up and running within 24 hours. (Similar to the "cloud")

    • Marked as answer by DeviantSeev Tuesday, August 17, 2010 10:14 PM
    • Unmarked as answer by DeviantSeev Tuesday, August 17, 2010 10:14 PM
    • Marked as answer by DeviantSeev Tuesday, August 17, 2010 10:14 PM
    Tuesday, August 17, 2010 10:14 PM
  • http://social.msdn.microsoft.com/Forums/en-US/windowsazure/thread/aa1b7139-bd69-4c6c-982d-54f17b9c7b10/

    http://social.msdn.microsoft.com/Forums/en-US/windowsazure/thread/b474cead-716c-492a-ac0c-cd2e56bedadd/

    In short, Windows Azure has not been ceritified HIPAA and there likely won't be any announcement regarding HIPAA until it actually is. However, there are still ways to build HIPAA complaint systems in the cloud.

    • Marked as answer by DeviantSeev Tuesday, August 17, 2010 10:14 PM
    Monday, August 16, 2010 5:54 PM
    Moderator

All replies

  • http://social.msdn.microsoft.com/Forums/en-US/windowsazure/thread/aa1b7139-bd69-4c6c-982d-54f17b9c7b10/

    http://social.msdn.microsoft.com/Forums/en-US/windowsazure/thread/b474cead-716c-492a-ac0c-cd2e56bedadd/

    In short, Windows Azure has not been ceritified HIPAA and there likely won't be any announcement regarding HIPAA until it actually is. However, there are still ways to build HIPAA complaint systems in the cloud.

    • Marked as answer by DeviantSeev Tuesday, August 17, 2010 10:14 PM
    Monday, August 16, 2010 5:54 PM
    Moderator
  • Brent,

     

    Thank you, it's kind of the answer I was expecting based on my research. Is there any information available about how Windows Azure talks to SQL Azure?

    Monday, August 16, 2010 7:33 PM
  • Monday, August 16, 2010 8:00 PM
    Moderator
  • Thank you Brent,

    For those who are interested, I've done my research and contacted several prominent hosting data centers and got their opinion. Essentially, the answer is don't do it. As of 8/17/2010 it's a very difficult task of running a HIPAA compliant application which stores and transmits PHI in the cloud due to the shared nature of the environment. HIPAA is also not only about privacy and security but also accountability. You will need to keep a log of all the resources which are accessing your servers so that in case of a breach, you can provide the details to the auditors.

    There are several hosting providers who will set up a HIPAA compliant environment for you and sign a reasonable BAA (Business Associate Agreement) which is very convenient when it's time for an audit. The only downfall is that dedicated hosting will cost you more but the good news is that these providers are hosting in a VM environment which allows for easy scaling and can have you up and running within 24 hours. (Similar to the "cloud")

    • Marked as answer by DeviantSeev Tuesday, August 17, 2010 10:14 PM
    • Unmarked as answer by DeviantSeev Tuesday, August 17, 2010 10:14 PM
    • Marked as answer by DeviantSeev Tuesday, August 17, 2010 10:14 PM
    Tuesday, August 17, 2010 10:14 PM
  • Fwiw, this information is out of date as several hosting providers can safely host HIPAA data in the cloud now. And even Microsoft Azure apparently does according to some recent articles such as these -

    http://www.microsoft.com/health/en-us/initiatives/pages/cloud-services-for-health.aspx

    http://www.microsoft.com/health/en-us/products/Pages/healthvault.aspx

    http://www.microsoft.com/en-us/news/press/2012/mar12/03-20PaperTracerPR.aspx

    http://visio.microsoft.com/en-us/Pages/searchresult.aspx?q=HIPAA+Azure

    Btw, I don't think there is any such thing as being HIPAA certified, only HIPAA compliant.

    The first link even mentions Microsoft doing a BAA.

    Microsoft's goal is to provide a unified and integrated Microsoft online services platform that meets or exceeds the compliance requirements for healthcare covered entities. With our Business Associate Agreement (BAA) for HIPAA covered entities, we aim to be your trusted data steward by enabling you to continue to meet your mandated compliance needs, whether in the cloud or on-premise.

    Brent, would love to see your updated answer on this.

    Thanks, Dave

    Friday, July 13, 2012 6:38 PM
  • An update was announced today.

    http://www.zdnet.com/windows-azure-now-offers-hipaa-baa-compliance-for-healthcare-industry-users-7000001594/

    http://blogs.msdn.com/b/windowsazure/archive/2012/07/25/security-privacy-amp-compliance-update-microsoft-offers-customers-and-partners-a-hipaa-business-associate-agreement-baa-for-windows-azure.aspx

    "The existence of Windows Azure BAA means that covered healthcare entities can now leverage Windows Azure core services in a pure public cloud platform, as well as a hybrid cloud configuration that extends their existing on premises assets and investments through the public cloud," the blog post added


    - cawood

     blog |  twitter

    Wednesday, July 25, 2012 8:10 PM
  • The definitive place for this type of information is the Windows Azure Trust Center where it is now declared that Microsoft can sign Business Associate Agreements for Windows Azure Cloud Services, Virtual Machines, Windows Azure Storage, and Networking - but not SQL Database. An application seeking HIPAA compliance could host Microsoft SQL Server in a Virtual Machine.
    Wednesday, July 25, 2012 8:22 PM
    Answerer
  • As per this link, Microsoft offers Enterprise Agreement (volume licensing) customers a BAA as a contract addendum. that likely means one needs to be enterprise customer to get a BAA.

    -sushil

    Sunday, February 17, 2013 11:22 AM
  • Microsoft currently offers the BAA to customers who have a Volume Licensing / Enterprise Agreement (EA), or a Windows Azure only EA enrollment in place with Microsoft.  The Windows Azure only EA does not depend on seat size, rather on an annual monetary commitment to Windows Azure that allows a customer to obtain a discount over pay-as-you-go pricing.  The BAA is currently not available to pay-as-you-go customers who have Windows Azure Agreement in place.
    Saturday, March 23, 2013 2:43 AM