Is Microsoft Azure HIPAA Compliant?

Microsoft Azure has firmly established itself as one of the leading cloud service providers. Until recently, it has held the second place in the public cloud providers rating with Amazon Web Services ranking first. In 2021, however, Microsoft Azure made a major leap and topped the rating by becoming the cloud provider of choice for 67% of business customers.

With a steady growth of the global healthcare cloud computing market, which is forecast to reach around $89.4 billion by 2027, we can assume that a lot of healthcare providers choose Microsoft Azure as the cloud services vendor. However, since the healthcare industry handles massive amounts of extremely sensitive personal data, it is subject to strict regulations designed to protect patient privacy. Particularly, all healthcare providers must comply with HIPAA, the Health Insurance Portability and Accountability Act, which governs the disclosure of protected health information.

HIPAA applies not only to healthcare organizations per se, who are referred to as Covered Entities, but also to any person or company performing functions for a Covered Entity. HIPAA refers to them as Business Associates and places requirements with them, too. Cloud service providers are considered Business Associates in this context and must comply with HIPAA rules.

So, is Microsoft Azure HIPAA compliant? Can healthcare organizations use Azure’s cloud computing resources for their purposes?

Learn more about, Is Google Cloud Platform HIPAA Compliant?
Learn more about, HIPAA Compliant Cloud Hosting: What does it mean?

Business Associate Agreement

A Business Associate Agreement, or BAA, is required before the healthcare provider can start using cloud services to store or process individually identifiable health information, known as Protected Health Information (PHI). The BAA determines the rules of PHI use and disclosure by the parties.

Microsoft Azure declares that it will sign Business Associate Agreements with a Covered Entity, thus contributing to their HIPAA compliance. However, a BAA alone is not enough to make a cloud service HIPAA compliant. When a healthcare business decides to use Microsoft Azure as the cloud infrastructure, it must ensure that appropriate security and protection measures are taken locally, too.

Microsoft Azure HIPAA compliant services

Out of the broad scope of Microsoft services, not all of them are HIPAA compliant. Before using a particular service in a healthcare application, make sure it is listed on the Microsoft official resources, which describes the services in scope for compliance.

For example, such Microsoft Azure services as API Management, Azure Active Directory, Azure Container Service, Azure Firewall, and many others are listed as HIPAA compliant and can be used in a healthcare application. At the same time, Azure Firewall Manager or Azure Data Share are not marked as compliant and, therefore, should not be considered for an app handling protected health information.

Azure Blueprints

Microsoft Azure helps its customers to configure and launch HIPAA-compliant architectures by offering Azure Blueprints. Blueprints are templates that can be used to deploy cloud-based products that are inherently HIPAA compliant.

You can use Azure Blueprints to evaluate the cloud resources you are going to use and see whether they meet HIPAA requirements. The Blueprints support access control and policies necessary to ensure HIPAA compliance that you can implement in your architecture. Blueprints automate some of the compliance-related processes accelerating the deployment of your app in a cloud environment.

Which data protection measures does Microsoft Azure implement?

Under its BAA, Microsoft Azure undertakes to implement a number of safeguards and mechanisms designed to protect the PHI that is being stored or processed using Azure’s cloud computing capacities:

• Data encryption. Azure encrypts all data held in its storage with 256-bit AES encryption to ensure privacy of PHI. For data exchanged between virtual networks within Azure, industry-standard protocols, such as TLS, are used.
• Secure network. Among its services, Azure offers Azure Network Security Groups and Azure Firewall to filter the incoming and outgoing traffic based on the user’s IP address. Connection to the cloud resources is established over a VPN, thus protecting data in transit.
• Backup and Disaster Recovery. Data backup and disaster recovery are among the HIPAA compliance requirements. To enable them, Azure provides its Azure Backup and Azure Recovery services that can be used in a cloud-based application to ensure that all data is backed up regularly and that the app can be recovered immediately in a different region.
• Vulnerability management. Azure Security Center scans the virtual machines and detects missing security patches. However, installing the patches is the customer’s responsibility.
• Identity and access management. Azure supports role-based access control, which allows defining the permissions for each user role and assigning roles to users. This is vital for tracking user identities and user activity. The Azure AD solution enables proper access control to protect sensitive data that is stored in the cloud.
• Monitoring and detailed logging. Azure constantly monitors the network to alert the user of any outside threats and also detects any deficiencies in the security measures implemented on the customer’s side. At the same time, Azure Log Analytics gathers logs from sources across the network and generates reports about how data was accessed.

Is Microsoft Azure HIPAA compliant?

Although Microsoft Azure supports multiple HIPAA-compliant services and is ready to sign a BAA with a Covered Entity, this does not make it HIPAA compliant automatically. Compliance does not only include choosing a cloud provider that offers compliant services. Rather, it is about the way the business uses and configures these services.

For example it is up to you to ensure the implementation of physical safeguards by securing your physical premises and to follow administrative safeguards by adopting security policies around risk management and access, communicating them to all users in your company who handle PHI, and holding regular security training sessions. In addition, compliance obligation makes it vital that you follow technical regulatory requirements.

Ensuring HIPAA Compliance with QuickBlox

For total peace of mind that your application is HIPAA compliant choose to partner with a HIPAA compliant service provider like QuickBlox with a solid history of working with healthcare companies.

QuickBlox provides a complete communication platform with instant messaging and group chat, peer to peer and multiparty video calling, file sharing and other functions accessible through SDKs and APIs. Plus we have a number of HIPAA safe ready solutions including a virtual waiting room with teleconsultation and a long history of supporting communication action solutions for healthcare.

We can work with your technical team to ensure HIPAA compliance of your app using Microsoft Azure’s cloud computing resources, and assist you to implement the following security measures in your local infrastructure:

• Configure multi-factor authentication and other security controls to secure user’s access to your app.
• Install advanced anti-virus tools and firewalls and obtain the necessary SSL certificates.
• Enable data encryption.
• Implement local data backup.
• Develop local disaster recovery procedures.
• In addition to Azure Cloud we also successfully support secure health solutions hosted by a variety of cloud providers including Amazon Web Services , Google Cloud Platform, Hetzner Cloud, and more. Furthermore, we can support our Business Associate customers who have an on premises infrastructure.

If you invest sufficient effort and resources in ensuring proper security policies and protection of sensitive data and verify that you are using HIPAA-compliant Microsoft Azure services, you will achieve overall regulatory compliance of your Azure-hosted app. However, such a result is only possible when the security mechanisms of the selected cloud service provider are complemented with adequate local protection measures. You need to work with a third party API provider who can support your security responsibilities.

Speak to us at QuickBlox to see how we can support your technical compliance needs.