HIPAA applies to organizations that hold Protected Health Information of US citizens and ensuring that your Azure cloud service is compliant with the HIPAA regulation that cover customers PHI data can be complex.
First of all, we have to understand classification and de-classification of PHI data.
What is PHI? what kind of data is covered under the act?
The Safe Harbor Rule identifies what kind of data is covered under the act, and the data you must remove to declassify PHI.
With any cloud compliance, you should clearly recognize that the majority of the regulations define your cloud services provider as a business partner. In the context of Azure, this means that you need to ensure that Microsoft is compliant as well as your own organization.
Also be aware that achieving Azure compliance with these regulations doesn’t just involve technical tools and systems. It also requires that managerial processes, access policies, and responses to customer requests also follow strict guidelines. It’s therefore imperative that IT teams work closely with management in working toward compliance in Microsoft Azure.
Microsoft Azure In-Scope Services
The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare regulation. It contains requirements for the use, disclosure, and safeguarding of individually identifiable health information. The act applies to a huge range of entities. These include doctor’s offices, hospitals, health insurers, and other healthcare companies. Any organization with access to PHI, as well as to business associates, such as CSP’s and IT providers, that process PHI on their behalf, need to ensure that they are HIPAA compliant.
Many organizations under HIPAA don’t carry out functions such as data processing and claims, they rely on third party companies/individuals. In the context of HIPAA these are called Business Associates. Business associates are individuals that work with a covered entity in a non-healthcare capacity and are just as responsible for maintaining HIPAA compliance as covered entities. Business associates are the lawyers, accountants, administrators, and IT personnel that work in the healthcare industry and have access to PHI.
In our context, Microsoft is your Business Associate, you will need to enter into an agreement with Microsoft to ensure compliance with HIPAA.
Microsoft Business Associate Agreement
The organizations that work with PHI are classified into covered entities and business associates and HIPAA requires both parties enter into contracts with each other. These contracts ensure that business associates have in place technical and managerial systems to protect PHI. When working with Azure, this means entering into a Business Associate Agreement (BAA) with Microsoft.
For Microsoft cloud services like Azure, the HIPAA Business Associate Agreement is available via the Online Services Terms. It is offered by default to all customers who are covered entities or business associates under HIPAA. The Microsoft BAA clarifies and limits how both you and Microsoft can handle PHI and details the steps that you will both take to adhere to the provisions in the HIPAA. Once a BAA is in place, Microsoft customers — which are covered entities in this case — can use its services to process and store PHI.
It’s important to recognize, however, that entering into a BAA does not, in itself, ensure that you are HIPAA compliant. In short, you are still responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Microsoft services aligns with HIPAA.
Azure HIPAA Best Practices
Even after entering into a BAA with Microsoft, you will need to ensure that you use and manage your Azure system in a way that keeps it compliant with HIPAA.
Access: As a covered entity, you must identity which employees require access to ePHI and make efforts to provide control over that access. One way to achieve this is to implement least privilege model and create a procedure around enforcement and manage permissions.
IAM Entitlements: Restrict access to ePHI via permissions and entitlements after you identify who should have access.
HIPAA Certified Security Personal: One designated and certified security personal must be responsible for the development and implementation of the HIPAA Security Rule.
Management Process: Establish policies and procedures to prevent, detect and correct security violations. Part of this process is to establish a Risk Management Framework to assess overall risk in your current processes. Continuous improvement should be ideal for setting up the management process.
Audit Controls: Audit your ePHI to record and analyze activity in case of a data breach. Covered Entities need to provide a complete audit trail of the data breach and what PHI be able to show the OCR exactly how a data breach occurred with a complete audit trail and reporting.
Data Transmission Security: When sending ePHI data to other business partners, you need to be able to prove that only authorized individuals accessed the ePHI data. You can use an encrypted HTTPS file transfer, or a secure VPN.
Secure Offsite Backup: As part of contingency plan, secure ePHI data in an offsite location which is secure and isolated. Whether the new employee deletes a record accidentally, or a hacker deletes it intentionally, you should be able to recover and restore that record.
Two-Factor Authentication: Enable Two-Factor Authentication to every device, application and database that holds ePHI data.
Regular Audits: From Access Controls, ACL’s, Access Logs to Firewall logs – how data is stored, who accessed it, how it is transmitted should be audited from time to time.
Security Incident Management: Standardize organization’s security incident process and create a policy to address data breaches. It’s a good practice to – report breaches and security violations, and set up alerts and security analytics so that you can prevent breaches in the first place.
In Summary, HIPAA violations not only result in huge fines for your organization, but also a reputation loss in the market. Careful planning by setting up guardrails around acquisition, storage, handling and transmitting PHI data with a Risk Management Framework to address and respond to risk and breaches and continuously improving your organizations security posture can help you stay HIPAA compliant.
Microsoft publishes lot of documentation and a Blueprint around being HIPAA compliant on Azure: