Just what the doctor ordered: HIPAA compliance in the cloud

It wasn’t long ago that patient privacy concerns were a major barrier for health organizations looking to move to the cloud. That changed in December 2011, when Office 365 became the first and only major cloud business productivity service to offer customers a Business Associate Agreement (BAA) that addresses the rigorous regulations of the U.S. Health Insurance Portability and Accountability Act (HIPAA).

Today, Microsoft strengthens that commitment with an updated BAA that meets HIPAA Final Rules for our next-generation cloud services. Johns Hopkins University has been confirmed as one of our first customers to sign with Microsoft’s updated BAA, which also covers Dynamics CRM Online and Windows Azure Core Services. Read more about the update over on the Microsoft News Center.

Since our initial BAA, Office 365 has helped many hospitals, insurers and clinics improve communication, productivity and care coordination, all while lowering IT costs and maintaining HIPAA compliance.

“Compliance in particular was critical for us, and it’s a non-negotiable requirement that we demand from our technology solution providers,” said Dr. Cody Mihills of Mihills Webb Medical, a small family practice in Texas that moved to Office 365. “Tasks like coordinating schedules between employees and collaborating with peers outside the office who support patients now can be executed in an efficient, HIPAA-compliant manner.”

HIPAA in education

HIPAA requirements reach beyond the health care industry. Any education institution that stores student records that include protected health information must also adhere to HIPAA regulations. To meet this need, Microsoft collaborated with top U.S. medical schools, as well as other public- and private-sector HIPAA-covered entities, to create a BAA for our cloud services.

“A key deciding factor for TJU [Thomas Jefferson University] was that Office 365 helps enable us to be HIPAA compliant. With Google, we would have never have known where our intellectual property and records were stored,” said Doug Herrick, chief information officer at Thomas Jefferson University. “Microsoft had the willingness to understand our business and be transparent about how it handles security and privacy, which meets the demands of a real enterprise.”

Deborah Pisano
Microsoft News Center Staff

Editor’s Note: This post was updated with new information on April 30.