Compliance in Microsoft Cloud for Healthcare
Microsoft Azure, Microsoft Dynamics 365, Microsoft 365, and Microsoft Power Platform services and its underlying infrastructure employ a security framework that encompasses industry best practices and spans multiple standards, including the ISO 27000 family of standards, NIST 800, and others. As part of our comprehensive compliance offering, Microsoft regularly undergoes independent audits performed by qualified third-party accredited assessors.
The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. The CSF builds on HIPAA and the HITECH Act and incorporates healthcare-specific security, privacy, and other regulatory requirements from existing frameworks such as the PCI DSS, ISO 27001, EU privacy laws and regulations, NIST, and MARS-E. HITRUST provides a benchmark - A standardized compliance framework, assessment, and certification process against which cloud service providers and covered health entities can measure compliance.
Microsoft is one of the first hyperscale cloud service providers to receive certification for the HITRUST CSF. HIPAA Business Associate Agreement (BAA) clarifies and limits how the business associate (Microsoft) can handle protected health information (PHI) and sets forth additional terms for each party related to the security and privacy provisions outlined in HIPAA and the HITECH Act. The BAA is automatically included as part of the Online Services Terms and applies to customers who are covered entities or business associates and are storing PHI.
The qualifying license terms for Microsoft 365/Office 365, Dynamics 365, Microsoft Power Platform, Azure, and the Microsoft Health Bot service are found in the Online Service Terms and the Microsoft Privacy Statement.
Microsoft Cloud for Healthcare and Online Services (such as Office 365, Dynamics 365, Power Platform, Azure, and the Healthcare Bot Service) (together, “Microsoft Cloud for Healthcare”)
aren't intended or made available as a medical device(s)
aren't designed or intended to be used in the diagnosis, cure, mitigation, monitoring, treatment or prevention of a disease, condition or illness, and no license or right is granted by Microsoft to use the online services for such purposes
aren't designed or intended to be a substitute for professional medical advice, diagnosis, treatment, or judgment and shouldn't be used to replace or as a substitute for professional medical advice, diagnosis, treatment, or judgment. Customer shouldn't use Microsoft Cloud for Healthcare as a medical device. To the extent customer makes Microsoft Cloud for Healthcare available as a medical device, or puts it into service for such a use, customer is solely responsible for such use and acknowledges that it would be the legal manufacturer in respect of any such use. Customer is solely responsible for displaying and/or obtaining appropriate consents, warnings, disclaimers, and acknowledgments to end users of customer’s implementation of Microsoft Cloud for Healthcare. Customer is solely responsible for any use of Microsoft Cloud for Healthcare to collate, store, transmit, process, or present any data or information from any third-party products (including medical devices).
You can learn more about Microsoft’s commitments to data protection and privacy by visiting our Trust Center.
In-scope regulations for Microsoft services
| Service | HITRUST | EU privacy laws and regulations | SOC 1 | SOC 2 | ISO 27017 | ISO 27001 |
|---|---|---|---|---|---|---|
| Azure Data Lake Storage Gen2 | Yes | Yes | Yes | Yes | Yes | Yes |
| Azure Health Bot | Yes | Yes | Yes | Yes | Yes | Yes |
| Azure Health Data Services | Yes | Yes | Yes | Yes | Yes | Yes |
| Azure Healthcare APIs | Yes | Yes | Yes | Yes | Yes | Yes |
| Azure IoT Hub | Yes | Yes | Yes | Yes | Yes | Yes |
| Azure Synapse Analytics | Yes | Yes | Yes | Yes | Yes | Yes |
| Chat Add-in for Dynamics 365 Customer Service (Omnichannel for Customer Service) | Yes | Yes | Yes | Yes | Yes | Yes |
| Customer Service Insights Add-in for Microsoft Dynamics 365 Customer Service | Yes | Yes | Yes | Yes | Yes | Yes |
| Dataverse | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Customer Insights | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Customer Service | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Customer Voice | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Field Service | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Marketing | Yes | Yes | Yes | Yes | Yes | Yes |
| Dynamics 365 Sales | Yes | Yes | Yes | Yes | Yes | Yes |
| Microsoft Purview | Yes | Yes | Yes | Yes | Yes | Yes |
| Microsoft Teams | Yes | Yes | Yes | Yes | Yes | Yes |
| Power Apps | Yes | Yes | Yes | Yes | Yes | Yes |
| Power Automate | Yes | Yes | Yes | Yes | Yes | Yes |
| Power BI | Yes | Yes | Yes | Yes | Yes | Yes |
Additional resources
- Trust Center
- Latest HITRUST Letter of Certification is available to customers in the Service Trust Platform (STP) and HITRUST CSF version
- Microsoft 365 data residency and privacy
- Azure data residency and privacy
- Dynamics 365 and Power Platform data residency and privacy
- Compliance
משוב
בקרוב: במהלך 2024, נפתור בעיות GitHub כמנגנון המשוב לתוכן ונחליף אותו במערכת משוב חדשה. לקבלת מידע נוסף, ראה: https://aka.ms/ContentUserFeedback.
שלח והצג משוב עבור