Power Virtual Agents compliance offerings
Power Virtual Agents is a Core Online Service, as defined in the Online Services Terms (OST), and is compliant with or covered by:
- Health Insurance Portability and Accountability Act (HIPAA) coverage
- Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)
- Federal Risk and Authorization Management Program (FedRAMP)
- System and Organization Controls (SOC)
- Various International Organization for Standardization (ISO) certifications
- Payment Card Industry (PCI) Data Security Standard (DSS)
- The Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR)
- United Kingdom Government Cloud (G-Cloud)
- Outsourced Service Provider's Audit Report (OSPAR)
- Korea-Information Security Management System (K-ISMS)
- Singapore Multi-Tier Cloud Security (MTCS) Level 3
- Spain Esquema Nacional de Seguridad (ENS) High-Level Security Measures
Health Insurance Portability and Accountability Act (HIPAA) coverage
HIPAA is a United States healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—doctors' offices, hospitals, health insurers, and other healthcare companies—that have access to patients' protected health information (PHI), in addition to business associates—such as cloud service and IT providers—that process PHI on their behalf.
Power Virtual Agents is covered under the Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA).
You can create chatbots that handle protected health information when your organization is bound by HIPAA, as in the following scenarios where the chatbot can:
- Ask individuals to provide their health information (blood pressure, weight, and so on).
- Capture health information and personally identifying information, such as the customer's IP address or email address.
Although Power Virtual Agents is covered under HIPAA, it still isn't intended for use as a medical device. See the disclaimer on the intended use of Power Virtual Agents and medical devices.
Health Information Trust Alliance (HITRUST)
HITRUST is an organization governed by representatives from the healthcare industry.
HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance consistently.
The CSF builds on HIPAA and the HITECH Act, which are US healthcare laws that have established requirements for the use, disclosure, and safeguarding of individually identifiable health information and enforce non-compliance.
HITRUST provides a benchmark—a standardized compliance framework, assessment, and certification process—against which cloud service providers and covered health entities can measure compliance.
Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA) and to accelerate the adoption of secure cloud solutions by federal agencies.
Microsoft's government cloud services meet the requirements of FedRAMP.
By deploying protected services including Azure Government, Office 365 US Government, and Dynamics 365 Government, federal and defense agencies can leverage a rich array of compliant services.
SOC is a method for assuring control regulation within a service. Power Virtual Agents has been audited to be compliant with SOC.
SOC audit reports are available from the Microsoft Service Trust Portal.
Power Virtual Agents is compliant with the ISO standards listed in the following table. Audit reports for each are available from the Microsoft Service Trust Portal.
Payment Card Industry (PCI) Data Security Standard (DSS)
The Payment Card Industry (PCI) Data Security Standards (DSS) form a global information security standard designed to prevent fraud through increased control of credit card data.
Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands:
- American Express
- Japan Credit Bureau (JCB).
Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and card-holder data.
The Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR)
From the CSA STAR website:
The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.
The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.
Power Virtual Agents has been audited to be compliant with CSA STAR.
United Kingdom Government Cloud (G-Cloud)
Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing.
G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store, the Digital Marketplace. These enable public-sector organizations to compare and procure those services without having to do their own full review process.
Inclusion in the Digital Marketplace requires a self-attestation of compliance, followed by a verification performed by the Government Digital Service (GDS) branch at its discretion.
Outsourced Service Provider's Audit Report (OSPAR)
The OSPAR framework was established by the Association of Banks in Singapore (ABS), which formulated IT security guidelines for outsourced service providers (OSPs) that seek to provide services to Singapore's financial institutions. The ABS Guidelines are intended to assist financial institutions in understanding approaches to due diligence, vendor management, and key technical and organizational controls that should be implemented in cloud outsourcing arrangements, particularly for material workloads.
Power Virtual Agents has OSPAR attestation.
Korea-Information Security Management System (K-ISMS)
K-ISMS is a country-specific ISMS framework that defines a stringent set of control requirements designed to help ensure that organizations in Korea consistently and securely protect their information assets.
Singapore Multi-Tier Cloud Security (MTCS) Level 3
The MTCS Standard for Singapore was prepared under the direction of the Information Technology Standards Committee (ITSC) of the Infocomm Development Authority of Singapore (IDA).
The ITSC promotes and facilitates national programs to standardize IT and communications, and Singapore's participation in international standardization activities.
Spain Esquema Nacional de Seguridad (ENS) High-Level Security Measures
In 2007, the Spanish government enacted Law 11/2007, which established a legal framework to give citizens electronic access to government and public services. This law is the basis for Esquema Nacional de Seguridad (National Security Framework), which is governed by Royal Decree (RD) 3/2010.
The goal of the framework is to build trust in the provision of electronic services, and ensure the access, integrity, availability, authenticity, confidentiality, traceability, and preservation of data, information, and services.