Microsoft Azure is a popular public cloud provider for healthcare organizations, where maintaining HIPAA compliance is always a paramount concern.
Azure is often highly desirable for its compliance, security, and disaster recovery prowess. As noted in Security Boulevard, “Azure is one of the most secure cloud platforms out there. With its array of compliance certifications, Azure has emerged as the preferred cloud platform for high-risk industries such as government agencies and healthcare.” However, the same article goes on to note that, “deploying Azure requires platform expertise for it to run efficiently.”
Azure provides an excellent framework for achieving and maintaining compliance, but it doesn’t “do” compliance for you. Like all public cloud providers, Azure runs on a shared responsibility model and every healthcare entity using Azure remains individually responsible for their own processes and operations to meet HIPAA requirements for data and information management.
Here are three sources of HIPAA-violation risks that may be lurking in your healthcare organization’s Azure environment:
A HIPAA Business Associate Agreement (BAA) is a written contract between a HIPAA-covered entity and their vendors, contractors, and third-party service providers; it’s required by law. Healthcare organizations generally handle protected health information (PHI) or electronic PHI (ePHI), and thus must sign a BAA with every contractor that will have access to that information or use it as part of their work for the organization. The BAA will describe how they both adhere to HIPAA regulations, along with the responsibilities and risks they take on. Microsoft Azure users can and should sign a HIPAA BAA with Microsoft, but that doesn’t automatically make an Azure environment HIPAA compliant.
Generally, Microsoft agrees to provide a secure virtual private network (VPN) for connecting and encrypting all data uploaded to, downloaded from, or stored in Azure cloud instances. It will also specify the provision of access, permissions, and audit controls and detailed logging as required by HIPAA. But the healthcare organization must set, manage, and monitor all those controls themselves, and are responsible for any HIPAA violations that result from failure to do so. Azure users have to make sure that all of their own cloud instances are configured correctly. They also have to make sure all their BAAs are up to date and understand their responsibilities in regard to evolving requirement implementation, such as with the ONC Final Rule and its information blocking prohibitions.
As explained on Lexology: “Most health care providers and their business associates understand their HIPAA compliance obligations. The [ONC Final Rule] ban on information blocking does not change those obligations, but it adds a layer of complexity.” The ONC states that “in some instances, a business associate will be an actor under the information blocking regulation in 45 CFR part 171 and in other situations, it may not be an actor.” It’s up to the healthcare organization utilizing Azure to review and manage those situations, and any BAAs that pertain to them.
Neglecting Out-of-Scope Services
Microsoft provides a long list of cloud services configured in scope with HIPAA requirements for Azure users in the healthcare industry. With a Microsoft BAA in place, these services can be used to process and store ePHI. But Microsoft also provides a long list of cloud services that are not configured in scope for HIPAA, as well as an Azure marketplace with thousands of applications that may or may not be in scope. That doesn’t mean out-of-scope services aren’t often valuable or that healthcare organizations can’t use them — many do! It just means they’re not designed for use with PHI — and therein lies the danger.
Failing to prohibit out-of-scope services from interacting with PHI can cause problems with meeting regulatory information safety requirements involving privacy and patient confidentiality, security and administrative safeguards, identifiers and types of information, and codes for data transmission in healthcare-related claims and transactions — all of which are covered under HIPAA, and any of which can trigger a HIPAA violation in an improperly configured Azure environment.
To make the most of cloud power using Azure and meet regulatory requirements, compliance adherence and monitoring must be a continuous process. Safeguarding the massive flow of PHI demands attention 24/7, but that doesn’t mean healthcare organizations have to hire an army of IT staff to meet the enormity of that challenge.
HIPAA controls in your Azure environment can be automated, and continuous compliance checks mapped to HIPAA CFRs can supply real-time visibility into your compliance posture around the clock.
At Cloudticity, we’ve always believed that automation is essential in extracting the greatest value out of Azure deployments (and we’re not alone in our stance). For healthcare organizations, a huge part of that value comes in using automation to ensure continuous HIPAA compliance.
To learn more about best practices for achieving HIPAA compliance on Microsoft Azure, download our HIPAA Compliance on Microsoft Azure eBook.