Compliance in Microsoft Cloud for Healthcare

Microsoft Azure, Microsoft Dynamics 365, Microsoft 365, Microsoft Power Platform, and Microsoft Fabric services and their underlying infrastructure employ a security framework. This framework encompasses industry best practices and spans multiple standards, including the ISO 27000 family of standards, NIST 800, and others. As part of our comprehensive compliance offering, Microsoft regularly undergoes independent audits performed by qualified third-party accredited assessors.

The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. The CSF builds on HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act). It incorporates healthcare-specific security, privacy, and other regulatory requirements from existing frameworks such as the PCI (Payment Card Industry) DSS (Data Security Standard), ISO 27001, EU privacy laws and regulations, NIST, and MARS-E. HITRUST provides a benchmark - A standardized compliance framework, assessment, and certification process against which cloud service providers and covered health entities can measure compliance.

Microsoft is one of the first hyperscale cloud service providers to receive certification for the HITRUST CSF. HIPAA Business Associate Agreement (BAA) clarifies and limits how the business associate (Microsoft) can handle protected health information (PHI). It outlines more terms for each party related to the security and privacy provisions outlined in HIPAA and the HITECH Act. The BAA is automatically included as part of the Online Services Terms and applies to customers who are covered entities or business associates and are storing PHI.

The qualifying license terms for Microsoft 365/Office 365, Dynamics 365, Microsoft Power Platform, and Azure are found in the Online Service Terms and the Microsoft Privacy Statement.

Microsoft Cloud for Healthcare and Online Services (such as Office 365, Dynamics 365, Power Platform, Azure, and Microsoft Fabric) (together, "Microsoft Cloud for Healthcare"):

  1. aren't intended or made available as medical devices.

  2. aren't designed or intended to be used in the diagnosis, cure, mitigation, monitoring, treatment or prevention of a disease, condition or illness. No license or right is granted by Microsoft to use the online services for such purposes.

  3. aren't designed or intended to be a substitute for professional medical advice, diagnosis, treatment, or judgment and shouldn't be used to replace or as a substitute for professional medical advice, diagnosis, treatment, or judgment. Customer shouldn't use Microsoft Cloud for Healthcare as a medical device. To the extent customer makes Microsoft Cloud for Healthcare available as a medical device, or puts it into service for such a use, customer is solely responsible for such use and acknowledges that it would be the legal manufacturer in respect of any such use. Customer is solely responsible for displaying and/or obtaining appropriate consents, warnings, disclaimers, and acknowledgments to end users of customer’s implementation of Microsoft Cloud for Healthcare. Customer is solely responsible for any use of Microsoft Cloud for Healthcare to collate, store, transmit, process, or present any data or information from any third-party products (including medical devices).

You can learn more about Microsoft’s commitments to data protection and privacy by visiting our Trust Center.

In-scope regulations for Microsoft services

Service HITRUST EU privacy laws and regulations SOC 1 SOC 2 ISO 27017 ISO 27001
Azure Data Lake Storage Gen2 Yes Yes Yes Yes Yes Yes
Azure AI Health Bot Yes Yes Yes Yes Yes Yes
Azure Health Data Services Yes Yes Yes Yes Yes Yes
Azure Healthcare APIs Yes Yes Yes Yes Yes Yes
Azure IoT Hub Yes Yes Yes Yes Yes Yes
Azure Synapse Analytics Yes Yes Yes Yes Yes Yes
Chat Add in for Dynamics 365 Customer Service (Omnichannel for Customer Service) Yes Yes Yes Yes Yes Yes
Customer Service Insights Add in for Microsoft Dynamics 365 Customer Service Yes Yes Yes Yes Yes Yes
Dataverse Yes Yes Yes Yes Yes Yes
Dynamics 365 Customer Insights - Data Yes Yes Yes Yes Yes Yes
Dynamics 365 Customer Insights - Journeys Yes Yes Yes Yes Yes Yes
Dynamics 365 Customer Service Yes Yes Yes Yes Yes Yes
Dynamics 365 Customer Voice Yes Yes Yes Yes Yes Yes
Dynamics 365 Field Service Yes Yes Yes Yes Yes Yes
Dynamics 365 Sales Yes Yes Yes Yes Yes Yes
Microsoft Purview Yes Yes Yes Yes Yes Yes
Microsoft Teams Yes Yes Yes Yes Yes Yes
Power Apps Yes Yes Yes Yes Yes Yes
Power Automate Yes Yes Yes Yes Yes Yes
Power BI Yes Yes Yes Yes Yes Yes

Healthcare data solutions in Microsoft Fabric

To review the compliance information for healthcare data solutions in Microsoft Fabric, see Compliance and security in healthcare data solutions in Microsoft Fabric.