Is Microsoft Azure HIPAA Compliant?

Microsoft Azure provides a suite of cloud services including virtual machines (VMs), data and object storage, databases, machine learning and analysis tools and more.

health and human services
hipaa compliance

HIPAA Compliance with Azure

Azure is a public cloud platform with providing virtual machines (VMs), databases, data storage, and many other cloud services. Teams can utilize Azure services to build, scale and manage applications and workloads in the cloud.

Azure can be used in a HIPAA compliant manner. Azure will sign a Business Associates’ Agreement (BAA) with cloud customers, meaning that healthcare organizations may use Azure cloud services with protected health information (PHI). However, healthcare organizations must implement certain requirements in order to achieve HIPAA compliance on Azure.

  • Provides a Business Associates’ Agreement (BAA)
  • Provides HIPAA/HITECH Covered Services

Microsoft Azure HIPAA Covered Services

Cloud service providers typically define a set of “HIPAA covered services” or services that organizations may use with PHI. Organizations must only store, transmit, and utilize PHI on the Azure HIPAA covered services list.

The following cloud services are covered under the Azure Business Associates’ Agreement (BAA):

  • Azure and Azure Government
  • Microsoft Cloud App Security
  • Microsoft Cloud for Healthcare
  • Microsoft Healthcare Bot Service
  • Microsoft Stream
  • Microsoft Professional Services: Premier and On Premises for Azure, Dynamics 365, Intune, and for medium business and enterprise customers of Microsoft 365 for business
  • Dynamics 365 and Dynamics 365 U.S. Government
  • Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • Intune
  • Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense
  • PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • Power BI cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • Azure DevOps Services

Physical Safeguard Requirements

Public cloud providers including Azure operate under a shared responsibility model meaning that HIPAA requirements are shared between the cloud provider and the cloud customer. The Azure BAA outlines overall compliance responsibilities when using PHI on Azure. 

Under the Azure BAA, Microsoft handles many of the required HIPAA physical safeguards including:

  • Employee Access Restrictions
  • Locked Servers and Equipment
  • Disposal and Reuse
  • Facility Maintenance and Management

Technical Safeguard Requirements

While Azure provides a number of different security services, it is up to your team to ensure all proper technical controls are configured and in-place. This means your security team is responsible for implementing security standards for individual cloud services including configuring:

  • Access Control
  • Networking and Firewall Restrictions
  • Encryption (at-rest and in-transit)
  • Backup
  • Audit Logging
  • Intrusion Detection and Antivirus

Administrative Safeguard Requirements

While using a public cloud platform such as Azure provides enables teams to leverage many security programs and cloud services, your team is still responsible for implementing HIPAA required administrative safeguards.

HIPAA requires your team to establish a set of policies and standard operating procedures. Your team should develop and maintain policies that address the following topics:

  • Security Roles
  • System Access
  • Configuration Management
  • Disaster Recovery (DR)
  • Incident and Breach Response
  • Employee Training

Steps To HIPAA Compliance

business associates agreement
Sign Azure BAA

Sign the Azure Business Associates’ Agreement (BAA) and determine covered services before utilizing PHI on the Azure cloud.

Implement Policies/Procedures

Develop HIPAA administrative polices with Dash and define how your organization will manage PHI inside and outside of Azure.

hipaa technical controls
Enforce Technical Controls

Configure all necessary cloud security settings and controls and maintain HIPAA technical controls with Dash continuous compliance monitoring.

Achieve HIPAA Compliance With Dash

Dash makes it easy for healthcare organizations to build HIPAA Security Programs in Azure and AWS and achieve HIPAA Compliance for applications and workloads hosted in the cloud.

With Dash, your team can create and customize administrative policies, set all cloud security controls, and monitor and maintain HIPAA compliance with continuous compliance monitoring. Learn how Dash can help your team streamline compliance in the cloud.

  • Create Custom Security Policies
  • Configure Technical Controls In Azure
  • Enforce Polices and Cloud Security Controls