The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations issued under HIPAA are a set of US healthcare laws that, among other provisions, establish requirements for the use, disclosure, and safeguarding of protected health information (PHI). The scope of HIPAA was extended in 2009 with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act that was created to stimulate the adoption of electronic health records and supporting information technology.
HIPAA applies to covered entities - doctors’ offices, hospitals, health insurers, and other healthcare companies - that create, receive, maintain, transmit, or access PHI. HIPAA further applies to business associates of covered entities that perform certain functions or activities involving PHI as part of providing services to the covered entity or on behalf of the covered entity. When a covered entity engages the services of a cloud service provider (CSP), such as Microsoft, the CSP becomes a business associate under HIPAA. Moreover, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit PHI, the CSP also becomes a business associate.
Together, HIPAA and HITECH Act rules include:
- The Privacy Rule, which requires appropriate safeguards to protect the privacy of PHI and imposes restrictions on the use and disclosure of PHI without patient authorization. It also gives patients the rights over their health information, including rights to examine their health records and request corrections.
- The Security Rule, which sets the standards for administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.
- The Breach Notification Rule, which requires covered entities and their business associates to provide notification when a breach of unsecured PHI occurs.
HIPAA regulations require that covered entities and their business associates enter into a contract called a Business Associate Agreement (BAA) to ensure the business associates will protect PHI adequately. Among other things, a BAA establishes the permitted and required uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities and services being performed by the business associate.
Azure and HIPAA
There is currently no certification program approved by the US Department of Health and Human Services (HHS) through which a CSP acting as a business associate could demonstrate compliance with HIPAA and the HITECH Act. However, HIPAA and HITECH Act requirements have been mapped to other established security frameworks and standards that CSPs typically attest to:
- NIST SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which addresses security concepts in the HIPAA Security Rule and explains how they relate to other NIST publications on information security. Specifically, Appendix D – Security Rule Standards and Implementation Specifications Crosswalk provides a catalog of the HIPAA Security Rule standards and implementation specifications, and maps each to relevant security controls detailed in NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations. NIST SP 800-53 serves as the baseline control set for the US Federal Risk and Authorization Management Program (FedRAMP). Therefore, a FedRAMP assessment and authorization provides strong assurances that HIPAA Security Rule safeguard standards and specifications are addressed adequately. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO).
- The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), which maps HIPAA and HITECH Act requirements to CCM control objectives covering fundamental security principles across CCM domains. Both Azure and Azure Government maintain the CSA STAR Certification and CSA STAR Attestation that are based on the CCM.
- The HHS HIPAA Security Rule Crosswalk to NIST Cyber Security Framework, which maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework (CSF) subcategory and provides relevant control mapping to other standards including ISO/IEC 27001 and NIST SP 800-53. Both Azure and Azure Government align with the NIST CSF and are certified under ISO/IEC 27001.
To support our customers who are subject to HIPAA compliance, Microsoft will enter into BAAs with its covered entity and business associate customers. Azure has enabled the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act inside the in-scope Azure services, and offers a HIPAA BAA as part of the Microsoft Online Services Terms to all customers who are covered entities or business associates under HIPAA for use of such in-scope Azure services. In the BAA, Microsoft makes contractual assurances about data safeguarding, reporting (including breach notifications), data access in accordance with HIPAA and the HITECH Act, and many other important provisions. Microsoft enables you in your compliance with HIPAA and the HITECH Act, and adheres to the HIPAA Security Rule requirements in its capacity as a business associate.
Azure Blueprints is a service that helps you deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organization’s standards, patterns, and compliance requirements, such as HIPAA and HITRUST. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. To help you deploy a core set of policies for any Azure-based architecture that must implement HIPAA and HITRUST controls, Azure has released the Azure Blueprint for HIPAA and HITRUST. When assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned policy definitions.
- Azure Government
Services in scope
Microsoft online services in scope for the HIPAA BAA coverage are shown below:
- Azure (for detailed insight, see Microsoft Azure Compliance Offerings)
- Azure DevOps
- Dynamics 365 (for detailed insight, see Dynamics 365 service compliance)
- Microsoft Cloud App Security
- Microsoft Healthcare Bot
- Microsoft Intune
- Microsoft Managed Desktop
- Microsoft Stream
- Power Apps
- Power Automate (formerly Microsoft Flow)
- Power BI
Office 365 and HIPAA
For more information about Office 365 compliance, see Office 365 HIPAA documentation.
- A practical guide to designing secure health solutions using Microsoft Azure
- Azure Blueprint for HIPAA and HITRUST
Frequently asked questions
How can my organization sign a BAA for Microsoft Azure? There is no separate contract to sign to enter into a HIPAA Business Associate Agreement (BAA) with Microsoft because the HIPAA BAA is available via the Microsoft Online Services Terms (OST) by default to all customers who are covered entities or business associates under HIPAA. The OST references the Microsoft OST Data Protection Addendum (DPA), which states that "execution of customer's volume licensing agreement includes execution of the HIPAA BAA".
As explained in the Microsoft Azure Legal Information Service Agreement & Terms, the licensing agreements under which customers purchase Azure incorporate the OST and DPA.
I have a healthcare SaaS solution deployed on Azure. Do my customers need to sign a BAA with Microsoft? No. Microsoft HIPAA BAA is applicable to Microsoft Online Services such as Azure and made available by default to Microsoft customers via a licensing agreement execution that includes the Online Services Terms (OST). If you are a SaaS provider of a healthcare solution deployed on Azure, your customers who are healthcare providers or covered entities under HIPAA can sign a BAA directly with you. They do not need to have a BAA in place with Microsoft to use your SaaS solution. The Microsoft BAA terms incorporated into your licensing agreement with Microsoft would not be applicable to your customers unless they also happen to be Microsoft customers and have separate licensing agreements in place with Microsoft.
Does having a BAA with Microsoft ensure my organization's compliance with HIPAA? No. By offering a BAA, Microsoft helps support your HIPAA compliance, but using Azure or other Microsoft cloud services does not automatically impart compliance onto your cloud solutions. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Azure aligns with HIPAA and the HITECH Act. Microsoft does not inspect, approve, or monitor your applications deployed on Azure. You are wholly responsible for ensuring your own compliance with all applicable laws and regulations.
Can Microsoft use my organization's BAA? No. Microsoft cannot use a customer's BAA. Because we offer hyper-scale, multi-tenant could services that are standardized for all customers, we must operate our services in a consistent manner. The Microsoft HIPAA BAA reflects closely how we operate our cloud services. To address the needs of the healthcare industry, Microsoft collaborated with a consortium of academic medical centers and other public and private sector entities within healthcare to create a BAA that aligns with our hyper-scale cloud services and meets customer needs.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Microsoft Online Services Terms (OST)
- Microsoft OST Data Protection Addendum (DPA)
- Microsoft HIPAA BAA
- HIPAA Omnibus Rule
- Microsoft Cloud for healthcare compliance offerings
- Azure for the healthcare industry
- Azure high-performance computing for health and life sciences
- Microsoft Cloud for the healthcare industry
- Healthcare on the Microsoft Trust Center