Technology Tips -How to make azure HIPAA compliant
Showing posts with label How to make azure HIPAA compliant. Show all posts
Showing posts with label How to make azure HIPAA compliant. Show all posts

Friday, January 24, 2020

HIPAA can be defined as administrative provision of health insurance portability and accountability act practiced in United States and its implementing regulation, including privacy rule, breach notification rule and security rule also amended from time to time.

When it comes to implementation of HIPAA in azure then Microsoft keeps dual responsibility model between customer and azure container where Microsoft is fully liable for services offered on cloud and ensures that customers get security and privacy and compliance accordingly.

Where customer would be responsible for the services provisioned for them, also customers application and data and VM and regulatory requirement applicable to them.


How to make azure HIPAA compliant:


HIPAA encourage organizations to use cloud services whereas only security is real concern where customer data is fully protected.

As you know customer who are using cloud services for HIPAA is called BA (business associates such as cloud service provider, or IT Companies)  meaning business associates they process PHI on their behalf,  so first to understand that one thing is Microsoft offering cloud services another one is BAA business associate or organization practicing healthcare activity and another one is HIPAA act means healthcare insurance activity.

Azure service fabric HIPAA:


We hope you have better understanding about the term used in HIPAA rule called PHI which is patient health information – so covered entities includes doctors, health insurer or other healthcare companies at any point of time can disclose protected information to law enforcement personnel as required by act or for administrative request where azure services comes into picture where you are allowed to use HIPAA in azure.

To be very precise HIPAA regulation actually needs covered entities and their business associates here as you understood when Microsoft providing cloud services to covered entities means (health insurer) gets into contract to ensure PHI is protected.

All customers must have their own compliance mechanism policies and procedure in place according to the HIPAA requirement where customer has to verify it independently with their own legal entities that their needs meet the HIPAA requirements.

HIPAA has different security policies so Microsoft azure ensures that audit for such services is done by external auditor under ISO 27001 standard where all security standard are required to implement.
Many security item will be identified by application controlled by customer itself, few you can check as you design and implement solution on azure.

Microsoft does not monitor application or services on azure and data what customer wish to use on azure cloud. So as customer you should check VM(virtual machine) log, azure portal itself and azure storage,  here things are very clear Microsoft is giving you a platform to implement HIPAA act in terms of services - and it's you making it HIPAA compliant actually- then only you can say -Azure is HIPAA compliant.

 Customer is solely responsible for mitigating suspected or unknown incident which could cause harm application and ultimately azure database services.

Customer is also responsible for using any cluster environment and patching software if customers want to implement HIPAA with it or customer want to make it HIPAA compliant.

In terms of application data which is critical for functionality such as user access to entities or user access to patient health information will be controlled by design and customer’s application itself.
Customer also responsible for securities’ breaches and responsible for data being used by app to database to ensure unauthorized access should not be given.

As you understood that when customer are fully liable to secure their own app and that app accessing and sql databases in order to prevent unauthorized access.  This will cover any t-sql statement used inside their application through databases for improper use of data -customer is fully responsible for that.

Concluded observation:

As mentioned earlier its your organization responsibility to ensure compliance act in place followed by internal process and programs which aligns you and particular services  synced with HIPAA.

Legends:
VM: virtual machine
HIPAA: Health Insurance Portability and Accountability Act
PHI: Patient Health Information
BAA: Business Associates

Assuming it here you will be using number of services:
Azure Container - you can get it free for a month from Microsoft site.
you will store patient information including patents diseases and medical record in sql azure databases.
you will configure Azure AD which will help enhance security to implement role based access directory.
Technically- you will have to go deeper in order to implement solution which is HIPAA compliant.