News: HIPAA Privacy & Security Protections and Business Associate Agreement Now Available for Microsoft’s Windows Azure Core Services, Dynamics CRM Online and Office 365

24 July 2012 | Dr. Dennis Schmuland, Chief health strategy officer, U.S. Health and Life Sciences, Microsoft
​Today, I’m pleased to announce that Microsoft achieved an important compliance milestone for our health industry customers and partners: We’ve embedded the physical, technical and administrative safeguards required by HIPAA and HITECH laws inside Windows Azure Core Services and are offering a HIPAA Business Associate Agreement (BAA) to our EA (Enterprise Agreement/volume licensing) customers and partners in the health industry.
For health organizations with highly sensitive data in need of a health enterprise grade public, private or hybrid solution, Microsoft’s HIPAA BAA includes Windows Azure HIPAA privacy and securing protections as well as HITECH breach monitoring and notification at the platform level for the following Windows Azure Core Services:
  • Cloud Services (Web and Worker roles)
  • Storage (Tables, Blobs, Queues)
  • Virtual Machines (Infrastructure-as-a-Service)
  • Networking (Windows Azure Connect, Traffic Manager, and Virtual Network)


Earlier in 2012, Microsoft announced availability of a BAA that covers Microsoft Office 365 and Dynamics CRM Online. The extension of this BAA to cover Microsoft Azure core services adds the final piece of the Microsoft enterprise cloud puzzle. With this more comprehensive BAA now in place, Microsoft is offering something unprecedented in the health IT market – a complete range of public, private and hybrid cloud solutions that support covered healthcare entities’ compliance needs. Rather than using separate cloud vendors for productivity, collaboration, application hosting, data storage and relationship management, Microsoft’s customers can consolidate on one cloud, with one infrastructure partner with a common security and privacy framework that’s specifically tailored to meet the compliance needs of healthcare covered entities.
This means that covered entities can now compliantly leverage the Windows Azure Core Services in both a pure public cloud platform to quickly and cost effectively leverage big data technologies, augment storage needs, accelerate development and testing of new solutions, OR a hybrid cloud configuration that extends their existing on premise assets and investments through the public cloud.
Moreover, the Windows Azure public cloud/private cloud solution enables covered entities to retain their most sensitive data on site in their own datacenter, as in the case of an enterprise data warehouse, for example, and utilize the public cloud to rapidly deploy variable demand applications that take full advantage of Windows Azure Core Services. Microsoft offers a full menu of private cloud solutions, and we detailed the differences in a recent whitepaper titled, “Microsoft Private Cloud: A comparative look at Functionality, Benefits, and Economics.”
Some of the key capabilities and options in Windows Azure Core Services that covered entities can implement include:
  • Data Center Location: Covered entities can configure Windows Azure to use data centers in particular regions and deploy data and applications across multiple data centers for added redundancy.
  • Encryption-at-Rest: Covered entities may implement encryption at rest using .NET cryptographic services and for those using Virtual Machines (Infrastructure-as-a-Service), additional options are available for encryption at rest, including Encrypting File System (EFS) in Windows Server 2008 R2, as well as Transparent Data Encryption (TDE) in SQL Server 2008 R2.
  • Encryption-in-Transit: Covered Entities may configure Windows Azure to enable encryption-in-transit by configuring HTTPS endpoints, and those using Virtual Machines (Infrastructure-as-a-Service) who wish to encrypt traffic between Web client and Web server in their VM can implement Secure Sockets Layer (SSL) on Windows Server Internet Information Services (IIS) by using IIS Manager.


So now that health entities or covered entities can safely and securely deploy private, public or hybrid cloud services on their own terms, what does this mean in terms of benefits? Here is a snapshot of three immediate ways in which covered health entities can leverage cloud services to improve business processes and drastically cut operating costs with the cloud:
  • Collaboration: The cloud allows physicians, nurses and others within the healthcare arena to view and edit documents at the same time and from multiple locations. In addition, real-time analytics and streamlined business processes enable informed decisions and operational efficiencies. For example, a health network, organization or even health information exchange can host patient data in Windows Azure that can be easily accessed and analyzed around specific medical conditions or geographic locations, thus allowing physicians or researchers to discover or discuss key learnings.
  • Productivity & Efficiency: The cloud also provides power, speed and agility. Windows Azure allows health organizations to sift through and analyze data quickly. By transferring its donor matching processing to Microsoft Azure, the National Kidney Registry boosted its paired exchange matching process speeds and increased its matching capacity by 400 percent, allowing the registry to execute multiple match runs simultaneously.
  • Cost reduction: The cloud also allows for a new IT consumption model - providers and plans no longer need to run and maintain large datacenters or buy and provision new servers. This means that they can pay just for what they use, when they use it, reducing the demands of managing IT. Deploying Microsoft cloud and cloud-enabled hybrid solutions allows organizations to focus on patient care, while cost-effectively consuming IT services, whether they are end-user applications or raw computing resources.


Covered entities can now migrate and extend their datacenters into the cloud to realize immediate cost savings, privacy and security protections required under HIPAA, capitalize on the flexibility and scalability of the cloud, and enable teams to collaborate and work together across the care continuum via Microsoft’s cloud services.
Dr. Dennis Schmuland
Chief health strategy officer, U.S. Health and Life Sciences, Microsoft