• 2 min read

Security, Privacy & Compliance Update: Microsoft Offers Customers and Partners a HIPAA Business Associate Agreement (BAA) for Windows Azure

Last month, we announced the availability of SSAE 16 / ISAE 3402 attestation for Windows Azure core services; an important milestone for our customers and partners, as many have requested and…

Last month, we announced the availability of SSAE 16 / ISAE 3402 attestation for Windows Azure core services; an important milestone for our customers and partners, as many have requested and received a copy of the audit report.  But what our health customers care most about are the HIPAA and HITECH Act compliance capabilities in Windows Azure that they need to fully leverage the cloud.

I’m pleased to announce that we have achieved the most important compliance milestone for our health customers: enabling the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act inside Windows Azure core services, and offering a HIPAA BAA to our EA (Enterprise Agreement/volume licensing) customers and partners in the health industry.

HIPAA and the HITECH Act are United States laws that apply to most doctors’ offices, hospitals, health insurance companies, and other companies involved in the healthcare industry that may have access to patient information (called Protected Health Information or PHI).  In many circumstances, for a covered healthcare company to use a service like Windows Azure, the service provider must agree in writing to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. 

On July 24th, we updated the Windows Azure Trust Center and made available a HIPAA BAA that includes Windows Azure breach monitoring and notification at the platform level for the following core services:

Cloud computing made it possible for heath customers to quickly and cost effectively leverage big data technologies, augment storage needs, accelerate development and testing of new solutions, etc.  The existence of Windows Azure BAA means that covered healthcare entities can now leverage Windows Azure core services in a pure public cloud platform, as well as a hybrid cloud configuration that extends their existing on premises assets and investments through the public cloud.

Earlier in 2012, Microsoft announced the availability of a BAA that covers Microsoft Office 365 and Dynamics CRM Online.  The extension of this BAA to also cover Windows Azure core services is a significant accomplishment.  With this BAA now in place, Microsoft is offering something unprecedented in the health IT market – a complete range of public, private and hybrid cloud solutions that support covered healthcare entities’ compliance needs. Rather than go to multiple cloud vendors for productivity, collaboration, application hosting, data storage, and relationship management, Microsoft’s customers can consolidate on one cloud, with one infrastructure partner with a common security and privacy framework that caters specifically to the needs of healthcare covered entities.

Covered entities can now confidently migrate and extend their datacenters on their terms into the public, private, or hybrid clouds, realizing immediate cost savings, organizational agility, and enabling collaboration across the care continuum.  While Windows Azure includes features to help enable customer’s privacy and security compliance, customers are responsible for ensuring that their particular use of Windows Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations.

For more information about how health organizations can leverage cloud services to dramatically lower IT costs and drive greater productivity and collaboration, visit Microsoft in Health blog.