Microsoft Azure provides a suite of cloud services including virtual machines (VMs), data and object storage, databases, machine learning and analysis tools and more.
Azure is a public cloud platform with providing virtual machines (VMs), databases, data storage, and many other cloud services. Teams can utilize Azure services to build, scale and manage applications and workloads in the cloud.
Azure can be used in a HIPAA compliant manner. Azure will sign a Business Associates’ Agreement (BAA) with cloud customers, meaning that healthcare organizations may use Azure cloud services with protected health information (PHI). However, healthcare organizations must implement certain requirements in order to achieve HIPAA compliance on Azure.
Cloud service providers typically define a set of “HIPAA covered services” or services that organizations may use with PHI. Organizations must only store, transmit, and utilize PHI on the Azure HIPAA covered services list.
The following cloud services are covered under the Azure Business Associates’ Agreement (BAA):
Public cloud providers including Azure operate under a shared responsibility model meaning that HIPAA requirements are shared between the cloud provider and the cloud customer. The Azure BAA outlines overall compliance responsibilities when using PHI on Azure.
Under the Azure BAA, Microsoft handles many of the required HIPAA physical safeguards including:
While Azure provides a number of different security services, it is up to your team to ensure all proper technical controls are configured and in-place. This means your security team is responsible for implementing security standards for individual cloud services including configuring:
While using a public cloud platform such as Azure provides enables teams to leverage many security programs and cloud services, your team is still responsible for implementing HIPAA required administrative safeguards.
HIPAA requires your team to establish a set of policies and standard operating procedures. Your team should develop and maintain policies that address the following topics:
Sign the Azure Business Associates’ Agreement (BAA) and determine covered services before utilizing PHI on the Azure cloud.
Develop HIPAA administrative polices with Dash and define how your organization will manage PHI inside and outside of Azure.
Configure all necessary cloud security settings and controls and maintain HIPAA technical controls with Dash continuous compliance monitoring.
Dash makes it easy for healthcare organizations to build HIPAA Security Programs in Azure and AWS and achieve HIPAA Compliance for applications and workloads hosted in the cloud.
With Dash, your team can create and customize administrative policies, set all cloud security controls, and monitor and maintain HIPAA compliance with continuous compliance monitoring. Learn how Dash can help your team streamline compliance in the cloud.