If you are considering moving to the cloud, but need to retain HIPAA compliance, you may have questions about what services will meet your needs. Many people have concerns about whether HIPAA compliance is possible through Microsoft Azure. We’ve looked into the situation in-depth so we can give you reliable information on what the truth is.
HIPAA Business Associate Agreement
As most of you already know, any company that has contact with protected health information is known as a HIPAA Business Associate. That means that anyone who has a connection with protected health information must sign a contract that states they will protect a patient’s confidential information.
The first question many people may have is whether Microsoft is open to signing a HIPAA Business Associate agreement. The answer to that question is a resounding yes. However, you won’t be able to locate the form online. It requires speaking with a salesperson to have the agreement executed.
Covered Microsoft Azure Services
The next question companies often have is precisely what services are covered for HIPAA use. This can change, and the updated list is found on the Microsoft HIPAA compliance page. We won’t list them all here as that would take up a lot of space, but suffice it to say that it includes things like VPN gateway, a virtual network, virtual machines, and storage.
IT Security Measures
There are a few key things to look at when determining if a client can use a cloud environment in a HIPAA compliant way. We look at these below.
Secure Connection Between the Business and Microsoft Azure
There is a secure VPN offered by Microsoft Azure that allows a business to connect with their environment. As such, anything sent between your company and Azure will use this secure, encrypted tunnel.
Restrictions on User Actions
Azure uses something called Azure Active Directory to set up roles and permissions for those roles. Azure Active Directory is similar to Active Directory for those who have experience with it. However, it does seem to be a bit more challenging to set up roles and permissions in Azure so bear that in mind.
Microsoft Azure does provide multi-factor authentication. There is a cost associated with this, however. That said, the Azure Authenticator application is effortless to use and more secure than options like the Google Authenticator application. It’s not great that it has a cost associated but it can be overlooked to some extent, and it is provided, even if there is a small cost to it.
User and System Activity Logging
Microsoft Azure logs every single interaction in the Azure environment by default. This is very important to HIPAA compliance as it can prove what has or hasn’t happened in the case of any incidents. Also, logging can record that occurs on every virtual machine if directed to.
In many cases, companies never or rarely change their encryption keys, which is a significant risk if any of them are every compromised. Microsoft Azure offers a “key vault” which lets you store, rotate, and manage encryption keys that connect to servers.
Microsoft does provide tools that allow you to encrypt data at rest. However, this is not done automatically. This would be better as default, but it’s okay as it is since it does exist.
Based on all the things mentioned above, Microsoft Azure can be used in a HIPAA compliant way. That said, it is complicated and does require some getting used to. If you’re ready to set things up carefully to ensure your privacy, Azure could be a reasonable option for businesses working with PHI.