How to Be HIPAA compliant using Azure

Overview

Healthcare organizations should meet stringent security and compliance standards. These standards come under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA standards comprise the administrative, physical and technical safeguards for protected health information (PHI). This is even more important when these organizations adopt a public cloud service.

Many healthcare organizations use Azure cloud and host their applications. HIPAA has several standards for security, privacy and compliance to host sensitive PHI data. Microsoft offers native support to be compliant with the data standards.

Azure provides operational and implementation guidelines for multiple services. These guidelines help the data to adhere to HIPAA standards. This will help the healthcare organizations to host their workloads in the cloud with adequate security. Azure has 86 services to meet HIPAA requirements. However, the responsibility for configuring those services remain with the clients.

In this blog we will share the best practices for the deployment, configuration, and management practices to ensure that your Azure deployments are HIPAA-compliant.

What is HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a piece of US legislation for healthcare. This legislation was launched in 1996. This is to safeguard and secure patient information and transmittal. The Covered entities (CE) and Business Associates (BA) should comply with HIPAA regulations. The Healthcare providers, health insurance plans and healthcare clearinghouses fall under the category of Covered Entities. Business Associates can be a person / entity that provides third party services and activities for covered entities. This involves access through protected health information (PHI). All types of information such as health status, provision of healthcare or payment of healthcare services will be covered. These types of information will be created, collected or transmitted by a covered entity and can be linked with individually identifiable information. The data is covered under the PHI under US law.

The HIPAA regulations are categorized into several major standards or rules such as:

1. Privacy rule: The rules set national standards for protecting the medical records and PHI of the patients. These rules define the authorized uses and disclosures. The rules also give the rights to individuals to access their health records and to request corrections. Individuals will get to know when and how their medical records and data have been shared with who.

2. Security rule: HIPAA rule specifies how the confidentiality, integrity, and availability of electronic medical records are protected. The security law outlines the safeguards that should be implemented by covered entities and business associates.

The laws protect e-PHI from any sort of threats and hazards. The three levels of safeguards are administrative, technical and physical. hazards.

There are three levels of safeguards as defined in security rule. These would comprise administrative safeguards, technical safeguards, and physical safeguards.

On top of that, HIPAA rules also include Enforcement and Breach. Enforcement includes compliance, investigations, hearings and penalties for HIPAA violation. The breach notification requires that Covered Entities and Business Associates notify the individual victims, media and regulators when there is a breach of PHI

Is Azure HIPAA Compliant

Healthcare organizations have migrated multiple applications on the cloud. The organizations embrace the cloud to cut costs and to improve the quality of care. Cloud adoption has become crucial for a healthcare entity. These entities need to adhere to HIPAA regulations. HIPAA establishes standards for the secure handling of PHI.

You have to ensure that your Azure cloud service is compliant with the regulations. Each regulation such as HIPAA, PCI, GDPR, and CCPA has different definitions and requirements. All of these definitions have an impact on the way that you work with Azure.

Ensuring compliance with these regulations is critical. As a reference, deviations from HIPAA regulation cost $28.7 million in 2018 in just ten companies as penalty. This penalty broke the previous 2016 record for HIPAA fines by 22%. There are still more than 25000 complaints of HIPAA non-compliance. You will have to avoid having a complaint and also avoid having to pay a hefty fine.

Let us talk about how to make the app or the system HIPAA Compliant. Healthcare entities should make sure that they implement the right privacy and security safeguards to meet HIPAA regulations. The standards begin with the rightly defined architecture. A robust review mechanism is needed at each stage of the development of these applications. A qualified security specialist is needed to conduct a complete security audits. You will also need to assess the risks and vulnerabilities detected during the audit Encryption of the data is required when the data is transmitted from one device to other devices. Data must be verified and encrypted while storing and transmitting. You must ensure that you strengthen the app environment by forcing re-authentication after inactivity and removing push notifications.

Microsoft Business Associate Agreement

A covered entity must get into a Business Associate Agreement (BAA ) with Microsoft once they plan to deploy their mHealth or any other app into Azure. However, this alone does not make the entity is HIPAA compliant. HIPAA is not about cloud platforms and features but it is about the utilization of cloud computing services that are used by the application or by the user. So, it is the responsibility of the covered entity to configure Azure cloud services in compliance with HIPAA regulation and security standards.

Shared Responsibility Model

A public cloud works on a shared responsibility model. Clients can expect that they can oversee service-related configurations. Cloud service providers ensure a secured hosting environment. The cloud services also manage other areas like availability, service resilience and physical security, Multiple tools are available in Azure to understand the shared responsibility model. These tools also help monitor the controls under the tool’s purview.

For the apps that are hosted in the Azure platform, security configurations depend on the hosting model. Clients are responsible for implementing infrastructure, OS and applications if the hosting model is IaaS. This model also includes the scope to be OS patching, DMZ configuration, firewall configuration, OS and application authentication and network monitoring.

The client will need to focus on application-layer controls to ensure secure access to applications dealing with PHI information. This is applicable when the hosting model is PaaS

The infrastructure and application platforms are managed entirely by the cloud service provider when the hosted model type is SaaS. However, the client will still need to take care of the data classification and access security.

These are a few ways where the client can ensure the security and the confidentiality of the data when they would leverage Azure as a platform.

Conclusion

HIPAA compliance may seem to be a tedious and a never-ending activity. However, we have to understand that this is to ensure the privacy and security aspects of PHI. HIPAA helps in protecting the sensitive health information of patients. It takes some amount of effort to implement and ensure that your apps are HIPAA compliant in Azure. However, it is worth the effort as HIPAA compliance gives long term benefits.