Dave Mayo, VP Technology, Partners in Health
Large Business have been embracing Cloud/Azure since 2010, however it was not on the radar of Healthcare organizations until 2012/13, and just barely at this point. Concerns regarding PHI (Personal Healthcare Information) were the talk of the town in Boston. Our mission was to partner with an organization that would meet our security and compliancy needs, Microsoft was that partner. In 2012 Microsoft was the only player willing to comply with PHI requirements and sign a BAA (Business Associate Agreements).
"We operated in 8 countries with 1,500 employees located in some of the most remote poorest regions of the world"
Partners in Health was in dire need of a technical foundation to build out a collaboration & document management solution. We operated in 8 countries with 1,500 employees located in some of the most remote poorest regions of the world. We required on/off line capabilities that work over low bandwidth. Microsoft Office 365 and Azure was the only solution that could meet our demanding needs.
We required a solution that would allow us to replace our data centers with Cloud services. By adopting the Cloud with strict rules in place – We mitigate our risk. It’s not “fire and forget” however, it’s a two way street with ownership on both sides to ensure compliancy.
HIPAA mandates healthcare providers that store and transmit PHI and their business associates (who may store or transmit PHI). Electronic Protected Health Information is referred to as ePHI.
From a technical point of view
• HIPAA compliance revolves around the encryption requirements & guidelines for the storage & transmission of data containing PHI
• Data is categorized as either “data at rest” (in a database, file share, etc.) or “data in transit” (email, etc.)
• It’s not a federal legal requirement by HIPAA that data at rest be encrypted
• In the event of a “breach”(loss or interception of data containing PHI)
♦ In the event data at rest or the data in transit are noted and encrypted. There can be severe and public reporting requirements as well as significant fines depending on the size of the breach/number of PHI records involved
♦ Encrypt your data at rest and in transit, then the breach notification, and reporting requirements are significantly reduced.
♦ Azure offers a form of contractually defined indemnification and shared responsibility with customers who are either covered entities or the business associates of covered entities. These contracts are referred to as a “Business Associate Addendum” or “Business Associate Agreement” contract (BAA)
♦ For a covered entity or business associate that uses HIPAA compliant services to be HIPAA compliant;
1. You must have a signed BAA on file with Azure
2. You must implement and follow the guideline that Azure defines in their HIPAA security implementation guides for the services defined in the BAA
3. Use of HIPAA compliant services without both of these two components does not guarantee HIPAA compliance
♦ Azure and the use of Office 365 , including SharePoint Online, Exchange Online, etc., that manage patient data as defined by HIPAA will be covered under the Microsoft business associate addendum (BAA)
♦ Only the HIPAA-eligible services defined in the Microsoft BAA can be used to process, store, and transmit PHI/ePHI
Partnering with Microsoft and implementing the 365 stack with Azure has strengthened our technology footprint allowing us better serve the poor and sick.