Compliance in Microsoft Cloud for Healthcare

Microsoft Azure, Microsoft Dynamics 365, Microsoft 365, and Microsoft Power Platform services and its underlying infrastructure employ a security framework that encompasses industry best practices and spans multiple standards, including the ISO 27000 family of standards, NIST 800, and others. As part of our comprehensive compliance offering, Microsoft regularly undergoes independent audits performed by qualified third-party accredited assessors.

The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. The CSF builds on HIPAA and the HITECH Act and incorporates healthcare-specific security, privacy, and other regulatory requirements from existing frameworks such as the PCI DSS, ISO 27001, EU GDPR, NIST, and MARS-E.

HITRUST provides a benchmark—a standardized compliance framework, assessment, and certification process—against which cloud service providers and covered health entities can measure compliance. HITRUST offers 3 degrees of assurance or levels of assessment: self-assessment, CSF-validated, and CSF-certified. Each level builds with increasing rigor on the one that precedes it. An organization with the highest level, CSF-certified, meets all the CSF certification requirements.

Microsoft is one of the first hyperscale cloud service providers to receive certification for the HITRUST CSF. HIPAA Business Associate Agreement (BAA) clarifies and limits how the business associate (Microsoft) can handle protected health information (PHI) and sets forth additional terms for each party related to the security and privacy provisions outlined in HIPAA and the HITECH Act. The BAA is automatically included as part of the Online Services Terms and applies to customers who are covered entities or business associates and are storing PHI. The regulatory compliance standards that apply to certain features offered through the Microsoft Healthcare Add-On can be found in the compliance document (PDF).

The Microsoft Healthcare Add-on service Specific Terms explain your and Microsoft’s rights and obligations with respect to regulatory compliance standards for Customer Data and Non-Microsoft Product data solely in connection with your use of the Microsoft Healthcare Add-on.

The qualifying license terms for Microsoft 365/Office 365, Dynamics 365, Microsoft Power Platform, Azure, and the Microsoft Health Bot service are found in the Online Service Terms and the Microsoft Privacy Statement, and are a prerequisite to your use of the Healthcare Add-on SKU.

Microsoft Cloud for Healthcare Add-On and Online Services (Office 365, Dynamics 365, Power Platform, Azure, and the Healthcare Bot Service) (together, “Microsoft Cloud for Healthcare”) (1) are not intended or made available as a medical device(s), (2) are not designed or intended to be used in the diagnosis, cure, mitigation, monitoring, treatment or prevention of a disease, condition or illness, and no license or right is granted by Microsoft to use the healthcare add-on or online services for such purposes, and (3) are not designed or intended to be a substitute for professional medical advice, diagnosis, treatment, or judgment and should not be used to replace or as a substitute for professional medical advice, diagnosis, treatment, or judgment. Customer should not use Microsoft Cloud for Healthcare as a medical device. To the extent customer makes Microsoft Cloud for Healthcare available as a medical device, or puts it into service for such a use, customer is solely responsible for such use and acknowledges that it would be the legal manufacturer in respect of any such use. Customer is solely responsible for displaying and/or obtaining appropriate consents, warnings, disclaimers, and acknowledgments to end users of customer’s implementation of Microsoft Cloud for Healthcare. Customer is solely responsible for any use of Microsoft Cloud for Healthcare to collate, store, transmit, process or present any data or information from any third-party products (including medical devices).

The regulatory compliance standards that apply to certain features offered through the Microsoft Healthcare Add-On can be found in the compliance document (PDF). You can learn more about Microsoft’s commitments to data protection and privacy and the Microsoft Healthcare Add-On by visiting our Trust Center.

HIPAA and HITECH in-scope Services

  • Azure Health Data Services
  • Azure IOT Hub
  • Dynamics 365 Customer Insights
  • Dynamics 365 Customer Service
  • Digital Messaging Add-in for Dynamics 365 Customer Service
  • Chat Add-in for Dynamics 365 Customer Service/Omnichannel for Customer Service
  • Dynamics 365 Field Service
  • Dynamics 365 Marketing
  • Dynamics 365 Resource Scheduling Optimization
  • Dynamics 365 Universal Resource Scheduling
  • Microsoft Dataverse
  • Microsoft Teams
  • Power Apps
  • Power Automate
  • Power BI

Additional resources