Is Microsoft Azure HIPAA Compliant?

Microsoft Azure provides a suite of cloud services including virtual machines (VMs), data and object storage, databases, machine learning and analysis tools and more.

HIPAA Compliance with Azure

Azure is a public cloud platform with providing virtual machines (VMs), databases, data storage, and many other cloud services. Teams can utilize Azure services to build, scale and manage applications and workloads in the cloud.

Azure can be used in a HIPAA compliant manner. Azure will sign a Business Associates’ Agreement (BAA) with cloud customers, meaning that healthcare organizations may use Azure cloud services with protected health information (PHI). However, healthcare organizations must implement certain requirements in order to achieve HIPAA compliance on Azure.

Microsoft Azure HIPAA Covered Services

Cloud service providers typically define a set of “HIPAA covered services” or services that organizations may use with PHI. Organizations must only store, transmit, and utilize PHI on the Azure HIPAA covered services list.

The following cloud services are covered under the Azure Business Associates’ Agreement (BAA):

Azure and Azure Government
Microsoft Cloud App Security
Microsoft Cloud for Healthcare
Microsoft Healthcare Bot Service
Microsoft Stream
Microsoft Professional Services: Premier and On Premises for Azure, Dynamics 365, Intune, and for medium business and enterprise customers of Microsoft 365 for business
Dynamics 365 and Dynamics 365 U.S. Government

Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
Intune
Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense
PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
Power BI cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
Azure DevOps Services

Physical Safeguard Requirements

Public cloud providers including Azure operate under a shared responsibility model meaning that HIPAA requirements are shared between the cloud provider and the cloud customer. The Azure BAA outlines overall compliance responsibilities when using PHI on Azure.

Under the Azure BAA, Microsoft handles many of the required HIPAA physical safeguards including:

Technical Safeguard Requirements

While Azure provides a number of different security services, it is up to your team to ensure all proper technical controls are configured and in-place. This means your security team is responsible for implementing security standards for individual cloud services including configuring:

Administrative Safeguard Requirements

While using a public cloud platform such as Azure provides enables teams to leverage many security programs and cloud services, your team is still responsible for implementing HIPAA required administrative safeguards.

HIPAA requires your team to establish a set of policies and standard operating procedures. Your team should develop and maintain policies that address the following topics:

Steps To HIPAA Compliance

Achieve HIPAA Compliance With Dash

Dash makes it easy for healthcare organizations to build HIPAA Security Programs in Azure and AWS and achieve HIPAA Compliance for applications and workloads hosted in the cloud.

With Dash, your team can create and customize administrative policies, set all cloud security controls, and monitor and maintain HIPAA compliance with continuous compliance monitoring. Learn how Dash can help your team streamline compliance in the cloud.