Editor's note — May 1, 2013 — The press release below was updated post publication.
REDMOND, Wash. — April 25, 2013 — Microsoft Corp. today announced the release of a new, revised version of its HIPAA Business Associate Agreement (BAA) for the company’s next-generation cloud services. This enables customers in the healthcare industry to leverage cloud solutions to coordinate care, improve patient health outcomes, and maintain compliance with privacy and security regulations issued under the U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996. Addressing HIPAA is embedded in the DNA of Microsoft’s cloud solutions, and Microsoft updated its BAA to help healthcare organizations address compliance for the final omnibus HIPAA rule, which went into effect March 26. Microsoft’s updated BAA covers Office 365, Microsoft Dynamics CRM Online and Windows Azure Core Services.
“Team communication and collaboration is the lifeblood of the health industry, and more and more healthcare organizations are realizing the productivity, care team communications and cost-savings benefits of cloud computing,” said Dennis Schmuland, chief health strategy officer, U.S. Health & Life Sciences, Microsoft. “Microsoft Office 365 is the only major cloud business productivity solution to programmatically offer a BAA built with the industry, and for the industry, to HIPAA-regulated customers, allowing healthcare organizations to be confident in the security and privacy of their patient data while empowering their staff to communicate and collaborate virtually anytime and almost anywhere.”
Microsoft collaborated with some of the leading U.S. medical schools and their HIPAA privacy counsel, as well as other public- and private-sector HIPAA-covered entities, in creating a BAA for its cloud services.
The refreshed BAA aligns with new regulatory language included in the final omnibus HIPAA rule, such as the new definition of a Business Associate, which includes any entity that maintains protected health information on behalf of a HIPAA-covered entity and has access to such data, even if it does not view the data. It also covers important data protections, such as Microsoft’s reporting requirements in accordance with the HIPAA Breach Notification Rule, and Microsoft’s obligation to require its subcontractors who create, receive, maintain or transmit protected health information to agree to the same restrictions and conditions imposed on Microsoft pursuant to the applicable requirements of the HIPAA Security Rule.
“We have programmatically offered a BAA for our healthcare customers since the launch of Office 365 nearly two years ago and have subsequently included our other cloud offerings such as Microsoft Dynamics CRM Online and Windows Azure Core Services under the BAA,” said Hemant Pathak, assistant general counsel, Microsoft. “Addressing the clarifications and changes incorporated in the final omnibus HIPAA rule reaffirms Microsoft’s commitment to comply with security and privacy requirements and maintain its status as a transparent and trusted data steward for healthcare organizations leveraging the cloud.”
Office 365 is the first and only major cloud business productivity service to adopt the rigorous requirements of the federal government’s HIPAA Business Associate standards. Where the provision of services include storage of and access to electronic protected health information by a cloud provider, Microsoft’s substantial commitment to compliance helps healthcare customers placing protected health information in the cloud avoid potentially significant liability under HIPAA for failure to comply with applicable HIPAA contracting and safeguard requirements.
Microsoft offers a complete range of public, private and hybrid cloud solutions that support covered healthcare entities’ compliance needs and enables those organizations to move to the cloud at their own pace. Rather than using separate cloud vendors for productivity, collaboration, application hosting, data storage and relationship management, Microsoft’s customers can consolidate on one cloud, with one infrastructure partner with a common security and privacy framework specifically tailored to help address the compliance needs of healthcare-covered entities. To date, several dozen large HIPAA-covered entities across the healthcare, academic, commercial and government agency space have executed the BAA for Microsoft Online Services.
More information about how organizations are turning to Microsoft technology is available in the Microsoft Customer Spotlight newsroom.
Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.
Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://www.microsoft.com/news. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/news/contactpr.mspx.