HIPAA (US)

HIPAA overview

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations issued under HIPAA are a set of US healthcare laws that, among other provisions, establish requirements for the use, disclosure, and safeguarding of protected health information (PHI). The scope of HIPAA was extended in 2009 with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act that was created to stimulate the adoption of electronic health records and supporting information technology.

HIPAA applies to covered entities – doctors’ offices, hospitals, health insurers, and other healthcare companies – that create, receive, maintain, transmit, or access PHI. HIPAA further applies to business associates of covered entities that perform certain functions or activities involving PHI as part of providing services to the covered entity or on behalf of the covered entity. When a covered entity engages the services of a cloud service provider (CSP), such as Microsoft, the CSP becomes a business associate under HIPAA. Moreover, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit PHI, the CSP also becomes a business associate.

Together, HIPAA and HITECH Act rules include:

  • The Privacy Rule, which requires appropriate safeguards to protect the privacy of PHI and imposes restrictions on the use and disclosure of PHI without patient authorization. It also gives patients the rights over their health information, including rights to examine their health records and request corrections.
  • The Security Rule, which sets the standards for administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.
  • The Breach Notification Rule, which requires covered entities and their business associates to provide notification when a breach of unsecured PHI occurs.

HIPAA regulations require that covered entities and their business associates enter into a contract called a Business Associate Agreement (BAA) to ensure the business associates protect PHI adequately. Among other things, a BAA establishes the permitted and required uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities and services being performed by the business associate.

Azure and HIPAA

There is currently no certification program approved by the US Department of Health and Human Services (HHS) through which a CSP acting as a business associate could demonstrate compliance with HIPAA and the HITECH Act. However, HIPAA and HITECH Act requirements have been mapped to other established security frameworks and standards that CSPs typically attest to:

  • The National Institute of Standards and Technology (NIST) SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which addresses security concepts in the HIPAA Security Rule and explains how they relate to other NIST publications on information security. Specifically, Appendix D – Security Rule Standards and Implementation Specifications Crosswalk provides a catalog of the HIPAA Security Rule standards and implementation specifications, and maps each to relevant security controls detailed in NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations. NIST SP 800-53 serves as the baseline control set for the US Federal Risk and Authorization Management Program (FedRAMP). Therefore, a FedRAMP assessment and authorization provides strong assurances that HIPAA Security Rule safeguard standards and specifications are addressed adequately. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB).
  • The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), which maps HIPAA and HITECH Act requirements to CCM control objectives covering fundamental security principles across CCM domains. Both Azure and Azure Government maintain the CSA STAR Certification and CSA STAR Attestation that are based on the CCM.
  • The HHS HIPAA Security Rule Crosswalk to NIST Cyber Security Framework, which maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework (CSF) subcategory, and provides relevant control mapping to other standards including ISO/IEC 27001 and NIST SP 800-53. Both Azure and Azure Government align with the NIST CSF and are certified under ISO/IEC 27001.

To support our customers who are subject to HIPAA compliance, Microsoft will enter into BAAs with its covered entity and business associate customers. Azure has enabled the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act inside the in-scope Azure services, and offers a HIPAA BAA as part of the Microsoft Product Terms (formerly Online Services Terms) to all customers who are covered entities or business associates under HIPAA for use of such in-scope Azure services. In the BAA, Microsoft makes contractual assurances about data safeguarding, reporting (including breach notifications), data access in accordance with HIPAA and the HITECH Act, and many other important provisions. Microsoft enables you in your compliance with HIPAA and the HITECH Act, and adheres to the HIPAA Security Rule requirements in its capacity as a business associate.

Azure Policy regulatory compliance built-in initiative for HIPAA/HITRUST maps to HIPAA/HITRUST compliance domains and controls. Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each HIPAA/HITRUST control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Applicability

  • Azure
  • Azure Government

Services in scope

For Microsoft online services in scope for the HIPAA BAA coverage, see Microsoft Azure Compliance Offerings. Tables in Appendices A and B provide detailed compliance scope coverage for Azure, select Microsoft 365, and Power Platform online services. For Dynamics 365 HIPAA BAA coverage, see Dynamics 365 service compliance.

Office 365 and HIPAA

For more information about Office 365 compliance, see Office 365 HIPAA documentation.

Guidance documents

Frequently asked questions

How can my organization sign a BAA for Microsoft Azure?
There is no separate contract to sign to enter into a HIPAA Business Associate Agreement (BAA) with Microsoft because the HIPAA BAA is available via the Microsoft Product Terms (formerly Online Services Terms) by default to all customers who are covered entities or business associates under HIPAA. The Microsoft Product Terms references the Microsoft Products and Services Data Protection Addendum (DPA), which states that "execution of customer's volume licensing agreement includes execution of the HIPAA Business Associate Agreement".

As explained in the Microsoft Azure Legal Information Service Agreement & Terms, the licensing agreements under which customers purchase Azure incorporate the Microsoft Product Terms and the Microsoft Products and Services Data Protection Addendum (DPA).

I have a healthcare SaaS solution deployed on Azure. Do my customers need to sign a BAA with Microsoft?
No. Microsoft HIPAA BAA is applicable to Microsoft Online Services such as Azure and made available by default to Microsoft customers via a licensing agreement execution that includes the Microsoft Product Terms (formerly Online Services Terms) and the Microsoft Products and Services Data Protection Addendum (DPA). If you're a SaaS provider of a healthcare solution deployed on Azure, your customers who are healthcare providers or covered entities under HIPAA can sign a BAA directly with you. They don't need to have a BAA in place with Microsoft to use your SaaS solution. The Microsoft BAA terms incorporated into your licensing agreement with Microsoft wouldn't be applicable to your customers unless they also happen to be Microsoft customers and have separate licensing agreements in place with Microsoft.

Does having a BAA with Microsoft ensure my organization's compliance with HIPAA?
No. By offering a BAA, Microsoft helps support your HIPAA compliance, but using Azure or other Microsoft cloud services doesn't automatically impart compliance onto your cloud solutions. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Azure aligns with HIPAA and the HITECH Act. Microsoft doesn't inspect, approve, or monitor your applications deployed on Azure. You're wholly responsible for ensuring your own compliance with all applicable laws and regulations.

Can Microsoft use my organization's BAA?
No. Microsoft can't use a customer's BAA. Because we offer hyper-scale, multi-tenant could services that are standardized for all customers, we must operate our services in a consistent manner. The Microsoft HIPAA BAA reflects closely how we operate our cloud services. To address the needs of the healthcare industry, Microsoft collaborated with a consortium of academic medical centers and other public and private sector entities within healthcare to create a BAA that aligns with our hyper-scale cloud services and meets customer needs.

Resources