Microsoft Azure has firmly established itself as one of the leading cloud service providers. Until recently, it has held the second place in the public cloud providers rating with Amazon Web Services ranking first. In 2021, however, Microsoft Azure made a major leap and topped the rating by becoming the cloud provider of choice for 67% of business customers.
With a steady growth of the global healthcare cloud computing market, which is forecast to reach around $89.4 billion by 2027, we can assume that a lot of healthcare providers choose Microsoft Azure as the cloud services vendor. However, since the healthcare industry handles massive amounts of extremely sensitive personal data, it is subject to strict regulations designed to protect patient privacy. Particularly, all healthcare providers must comply with HIPAA, the Health Insurance Portability and Accountability Act, which governs the disclosure of protected health information.
HIPAA applies not only to healthcare organizations per se, who are referred to as Covered Entities, but also to any person or company performing functions for a Covered Entity. HIPAA refers to them as Business Associates and places requirements with them, too. Cloud service providers are considered Business Associates in this context and must comply with HIPAA rules.
So, is Microsoft Azure HIPAA compliant? Can healthcare organizations use Azure’s cloud computing resources for their purposes?
A Business Associate Agreement, or BAA, is required before the healthcare provider can start using cloud services to store or process individually identifiable health information, known as Protected Health Information (PHI). The BAA determines the rules of PHI use and disclosure by the parties.
Microsoft Azure declares that it will sign Business Associate Agreements with a Covered Entity, thus contributing to their HIPAA compliance. However, a BAA alone is not enough to make a cloud service HIPAA compliant. When a healthcare business decides to use Microsoft Azure as the cloud infrastructure, it must ensure that appropriate security and protection measures are taken locally, too.
Out of the broad scope of Microsoft services, not all of them are HIPAA compliant. Before using a particular service in a healthcare application, make sure it is listed on the Microsoft official resources, which describes the services in scope for compliance.
For example, such Microsoft Azure services as API Management, Azure Active Directory, Azure Container Service, Azure Firewall, and many others are listed as HIPAA compliant and can be used in a healthcare application. At the same time, Azure Firewall Manager or Azure Data Share are not marked as compliant and, therefore, should not be considered for an app handling protected health information.
Microsoft Azure helps its customers to configure and launch HIPAA-compliant architectures by offering Azure Blueprints. Blueprints are templates that can be used to deploy cloud-based products that are inherently HIPAA compliant.
You can use Azure Blueprints to evaluate the cloud resources you are going to use and see whether they meet HIPAA requirements. The Blueprints support access control and policies necessary to ensure HIPAA compliance that you can implement in your architecture. Blueprints automate some of the compliance-related processes accelerating the deployment of your app in a cloud environment.
Under its BAA, Microsoft Azure undertakes to implement a number of safeguards and mechanisms designed to protect the PHI that is being stored or processed using Azure’s cloud computing capacities:
Although Microsoft Azure supports multiple HIPAA-compliant services and is ready to sign a BAA with a Covered Entity, this does not make it HIPAA compliant automatically. Compliance does not only include choosing a cloud provider that offers compliant services. Rather, it is about the way the business uses and configures these services.
For example it is up to you to ensure the implementation of physical safeguards by securing your physical premises and to follow administrative safeguards by adopting security policies around risk management and access, communicating them to all users in your company who handle PHI, and holding regular security training sessions. In addition, compliance obligation makes it vital that you follow technical regulatory requirements.
For total peace of mind that your application is HIPAA compliant choose to partner with a HIPAA compliant service provider like QuickBlox with a solid history of working with healthcare companies.
QuickBlox provides a complete communication platform with instant messaging and group chat, peer to peer and multiparty video calling, file sharing and other functions accessible through SDKs and APIs. Plus we have a number of HIPAA safe ready solutions including a virtual waiting room with teleconsultation and a long history of supporting communication action solutions for healthcare.
We can work with your technical team to ensure HIPAA compliance of your app using Microsoft Azure’s cloud computing resources, and assist you to implement the following security measures in your local infrastructure:
If you invest sufficient effort and resources in ensuring proper security policies and protection of sensitive data and verify that you are using HIPAA-compliant Microsoft Azure services, you will achieve overall regulatory compliance of your Azure-hosted app. However, such a result is only possible when the security mechanisms of the selected cloud service provider are complemented with adequate local protection measures. You need to work with a third party API provider who can support your security responsibilities.
Speak to us at QuickBlox to see how we can support your technical compliance needs.