Microsoft Adds HIPAA Compliance Features to Azure for Cloud Health Data

Microsoft now offers business associate agreements (BAA) for Windows Azure Core Services under the Health Insurance Portability and Accountability Act (HIPAA), the company announced in a July 25 blog post.

Under the HIPAA Privacy rule, covered entities (a doctor, health insurance provider or health care clearing-house) must include a BAA for documentation when seeking access to protected health information (PHI).

"Microsoft is really ready now to stand up and be the trusted steward for covered entities," Dr. Mohamed Ayad, industry technical solution specialist for U.S. Health & Life Sciences at Microsoft, told eWEEK.

"PHI can reside safely in a Microsoft data center; now, we're extending that to cover Azure as well," said Ayad.

PHI includes anything that would identify a patient, such as an electronic health record or medical claim, he explained.

"In the past, one of the major concerns with moving that information to the cloud was how do we secure that data and make sure it's safe," said Ayad. "Now, a provider can put that data in Azure Core Services and be sure it's in a HIPAA-secure environment."

The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act made HIPAA more stringent by requiring organizations to publicly report health care data breaches.

In December, Microsoft announced that the Office 365 cloud office-productivity platform offers HIPAA-compliant capabilities for users, and earlier this year, it also introduced a BAA for its Dynamics customer-relationship management software.

Microsoft will offer BAA agreements in Azure for Web and worker roles in Cloud Services as well as tables, queues and binary large objects (BLOBS), which store unstructured data, such as video, audio and images.

Companies also can obtain BAAs for infrastructure as a service (IaaS) virtual machines and Windows Azure Connect, a machine-to-machine link between Azure and on-premise database servers and domain controllers.

Other parts of Azure getting BAA functionality include Traffic Manager, a load-balancing tool for multiple hosted Windows Azure services, and Virtual Network, which allows organizations to provision and manage virtual private networks (VPNs).

By creating a BAA for Azure, health care organizations can now create both a public cloud as well as hybrid setup, in which they'd store data in both a public cloud and on-premise in a private cloud.