2012年4月16日 下午 08:36
Hello, I know this has been covered before, but I found a webpage on Microsoft's website about cloud services that are HIPAA compliant. I just can't get ahold of anyone who knows anything about it.
I'm just wondering if anyone has been able to get any information about running an application running on Azure that needs to be HIPAA compliant? It seems like from a technical perspective it can be made complaint. From a legal perspective, Microsoft would have to be considered a covered entity and would require signing a business associate agreement.
2012年4月17日 上午 07:12版主
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay.
Appreciate your patience.
2012年4月17日 下午 02:50
Great, thanks so much Arwind, I really appreciate it.
2012年4月18日 上午 06:19
Windows Azure platform/SQL Azure is not HIPAA Compliant. But we can create a HIPAA-compliant solution using Azure.
The application using Azure can take steps to ensure it does meet HIPAA standards.
For example: We can leverage the third party provider to accept the payment and ensure the HIPAA-compliant.
- 已編輯 Jian SL-MSFT 2012年4月18日 上午 07:28
2012年4月18日 下午 12:06
Thanks Leo Lin, I think from the technical side, it can be made complaint. Just like with any system - one would have to probably put a few additional safeguards in place to make it HIPAA complaint. Before we can even do that though a business associate agreement (BAA) between Microsoft and the Azure user / customer would have to be in place. I'm not sure - is there anyone there at Microsoft that knows about signing a BAA for HIPAA compliance?
Thanks again for your help.
2012年5月4日 上午 09:08
You may check the real case
2012年5月4日 下午 12:48
Thanks Leo Lin, I think one could put together a HIPAA compliant system on Azure, however probably the first thing if there was a breach or an audit that would be asked is "Where is the data located, and is there a Business Associate Agreement (BAA) for the hosting provider". With HIPAA each party that's handling the HIPAA protected data needs to sign a BAA. That case study is promising because it seems like there is someone there at Microsoft that can sign the BAA's.. I just need to find out who we need to talk to. I know Microsoft is a very large company, so it's probably hard to know everyone and who to contact, but is there anyone you can point me to who could maybe talk to me about the BAA?
Thanks again Leo Lin.
2012年5月4日 下午 01:24版主
As of today, the Windows Azure services have not been certified as HIPAA compliant, so at this time, MSFT will not sign a BAA around Windows Azure. However, there has been rumors that we may hear announcements about additional certifications for the Windows Azure platform in coming months so I would recommend you work closely with your local Microsoft account manager/representative to get the latest updates around HIPAA and BAA status.
That said, my firm has done delivery of several solutions for firms in and around the health care industry so we have some experience around managing HIPAA compliance as it relates to Windows Azure specifically and cloud in general. The most visible examples of this are our work for and promotional materials with CGX and our published whitepaper on HIPAA guidance for Windows Azure.
2012年5月4日 下午 04:11
Great, thanks so much Brent, yeah if you hear anything on the HIPAA certification - please post back - I think there are others that are interested as well.
The Whitepaper you sent a link to is great, thanks so much for posting that too.
Thanks again Brent.
2012年7月13日 下午 06:45
Hi Brent, apparently this has changed and would love to see your updated take on this since now MSFT will sign a HIPAA related BAA (there is not such thing as HIPAA certified, only HIPAA compliant).
And would especially like to see an update of this
which would convince anyone to not even try since you can't search for or lookup encrypted data with SQL Server very easy by never handling "unencrypted" data as they say.
2012年7月16日 下午 06:37版主Thanks Dave, I'll see what we can get done. :) I'm also checking into it as I'm not 100% certain that MSFT has agreed to signing a BAA when it comes to Windows Azure products (specifically compute/storag). The link you shared doesn't clearly state one ay or the other and a whitepaper linked form there also doesn't clearly state it.
- 已編輯 BrentDaCodeMonkeyModerator 2012年7月16日 下午 06:44
2012年7月16日 下午 06:49
Thanks Dave - where did you find out the information about signing the BAA? I've been looking for this for a long time. I called and talked to a number of people at MS but nobody could point me in the right direction. With a signed BAA you kind of tackled probably the biggest hurdle for complaince with Azure.
On a side note - at the last Azure webinar that was held showing the latest features, a moderator told us that they were working on HIPAA and PCI compliance and would be available soon. So it sounds like someone closer to the product knows more about it - just need to find the right person.
Any info would be greatly appreciated, this would be a game changer for us if we could host on Azure.
2013年3月27日 上午 03:42
Windows Azure announced in July 2012 that it's offering HIPAA BAA to customers and partners who need to build HIPAA compliant applications. More information on Windows Azure Trust Center compliance page.