Windows Azure now offers HIPAA BAA compliance for healthcare-industry users

Windows Azure now offers HIPAA BAA compliance for healthcare-industry users

Summary: Microsoft is offering healthcare users and partners needing HIPAA guarantees the ability to store more information in public and/or hybrid Azure clouds.

TOPICS: Cloud, Health, Microsoft

Microsoft is now offering HIPAA BAA (Business Associate Agreement) compliance guarantees on a number of Windows Azure core services, company officials announced on July 25.


Healthcare-focused customers and partners with volume-licensing contracts can obtain a HIPAA BAA from Microsoft for Azure Cloud Services (Web and Worker roles); storage (tables, blobs and queues); virtual machines and networking (Windows Azure Connect, Traffic Manager and Virtual Network).
As Microsoft officials explained in a new Windows Azure blog post, HIPAA (the Health Insurance Portability and Accountability Act) and the HITECH Act are U.S. laws that apply to most doctors’ offices, hospitals, health insurance companies, and other companies involved in the healthcare industry that may have access to patient information (called Protected Health Information or PHI). The BAA is a standard contract clause that is mandatory whenever a contract involves the use or disclosure of PHI.

On July 24,the Azure teame updated the Windows Azure Trust Center and made available a HIPAA BAA that includes Windows Azure breach monitoring and notification at the platform level, today's blog post noted.

"The existence of Windows Azure BAA means that covered healthcare entities can now leverage Windows Azure core services in a pure public cloud platform, as well as a hybrid cloud configuration that extends their existing on premises assets and investments through the public cloud," the blog post added

Earlier in 2012, Microsoft announced the availability of a HIPAA BAA that covered Microsoft Office 365 and Dynamics CRM Online, company officials added. And  in June, Microsoft announced the availability of SSAE 16/ISAE 3402 attestation for Windows Azure core services.

Topics: Cloud, Health, Microsoft


Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is HUGE

    Until now the only impass myself and many other Microsoft developers in the healthcare industry have had as it pertains to utilizing the cloud has been the BAA requirements. In a hospital/healthcare setting mobile devices such as tablets have proven to dramaticly increase productivity of the nursing and clincial staff. However, until now many solutions to improve clinical research gathering have revolved around the idea that the institution has to support a network which is in most cases highly inefficient. We have been using Windows Azure for non-clinical research grants for a while now and this opens the doors to tremendous growth potential.
    • hidden Caveat

      After reviewing the guidelines it is still not quite there. SQL Azure is not included in the BAA. This needs to be a full end to end solution to help developers make a quick and easy transition. Networking is supported meaning you can tunnel azure into your domain but that is a huge security risk. kindof a bummer as we have been waiting for this for a while.
      • Are you sure?

        It seems to be supported.

        There is a "Storage" section that covers tables and queues...

        Am I missing something?
        • No SQL Azure

          Yeah, I read that SQL Azure is not supported yet, either. I believe it was in one of Microsoft's whitepapers. I'm new to Azure concepts, but I *believe* "Storage" and "SQL Azure" are two different things. "Storage" is (at least partially) a NoSQL database.
          Josh Mouch
  • Typo and Smart Step by Microsoft!

    "On July 24,the Azure teame" should be "On July 24, the Azure team", though I understand you're on the move xD.

    Also this is a smart move by Microsoft especially if they really want to see their ecosystem expanding and develop in all markets.
  • Great News

    We just setup our LIMS on Azure and this really validates the whole system.
    It will make it much easier to work with our customers using a HIPAA connection
    Bob Freeman
    Bob Freeman
  • at last

    been trying to tell evryone what microsoft was up too with the push to tablet. but no. now that it is out .HaHa
  • How does a small company get the BAA?

    I've done a ton of searching on how to get the HIPAA BAA, and from what I can tell (Microsoft licensing is written in some yet-undiscovered language), you need to have an "Enterprise Agreement", which I think is the same thing as "Volume Licensing". And in order to get that, you need at least 250 seats.

    I'm hoping my conclusions aren't true.

    How, *specifically* can a *small* business get their hands on one of these HIPAA BAAs?
    Josh Mouch