The following post is from Dr. Dennis Schmuland, Chief Health Strategy Officer, U.S. Health and Life Sciences, Microsoft. It was originally published on Microsoft on the Issues.
On Wednesday, University of Colorado Health (UCHealth), one of the state’s largest healthcare providers, announced its migration to Microsoft Office 365, a decision that was made in large part due to Microsoft’s long-standing commitment to data security and privacy and because the company supports HIPAA requirements beyond what other vendors provide.
Such cloud adoption within the healthcare industry is gaining momentum because the economic, clinician productivity and care team collaboration advantages of the cloud are undeniable. However, as was the case for UCHealth, there’s one fundamental concern that continues to weigh heavily on the minds of providers: Is patient data safe, secure and private in the cloud.
As mandated by HIPAA, health providers and their cloud vendors have a legal obligation and a shared responsibility to protect patient data. Although HIPAA regulations were initially written before the advent of cloud computing, they have been updated recently in an attempt to keep pace with rapidly changing technology. As more health care systems move to the cloud, it remains paramount that health organizations collaborate only with vendors that place data privacy and security as a core tenet of their enterprise IT design architecture, and address HIPAA-compliance as a fundamental component of their cloud service offerings.
At Microsoft, we believe that every person or entity touching or housing protected health information (PHI) should be held to the highest privacy and security standards, and that they should have trusted technology to help keep this data secure. To that end, Microsoft is committed to meeting or exceeding health data security and privacy regulatory requirements to protect not only sensitive health data, but all customer data housed in our enterprise cloud computing environment.
Microsoft was the first major IT cloud provider to offer a comprehensive, peer-reviewed Business Associate Agreement (BAA) for all of its customers. Before launching its Office 365 service, Microsoft began the process of drafting a BAA in collaboration with a consortium of academic universities, such as the University of Iowa, Emory University and Duke University, and other healthcare customers across the country. This process helped Microsoft understand how our customers planned to deploy cloud technologies within their environments, how their clinicians and other personnel used cloud-based applications to collaborate on a daily basis, and which compliance requirements most concerned them. It also enabled us to better understand how we could map these considerations to the functionality of our cloud solution and its embedded set of world-class privacy and security features.
The resulting BAA, and its subsequent updates to reflect new product offerings and changes in the law, has been widely accepted within the industry as a best practice, and has helped Microsoft establish itself as a trusted healthcare data steward. In addition, it is this strong commitment to compliance and data stewardship that motivates customers to choose Microsoft’s suite of solutions over other vendor solutions.
Many cloud providers have recently launched their own BAAs in a reactive manner to address omnibus rule changes in HIPAA that went into effect in late 2013. The omnibus rule changes made clear that cloud vendors who maintained PHI in their data centers would now be deemed HIPAA business associates. Microsoft was several months early in updating its BAA to address these changes as our current cloud solutions were already designed from the ground up to address compliance. The recalcitrance of other cloud providers to provide a BAA until required by changes in the law was self-evident as they scrambled to launch a BAA retro-fitted for their cloud offerings shortly before the final compliance deadline.
However, offering a BAA is simply a threshold requirement for a cloud vendor to even be considered for use in the healthcare IT environment. As health organizations evaluate which cloud solutions to invest in, they should demand specificity, transparency and a demonstrated history of performance when it comes to HIPAA compliance and keeping all protected health information (PHI) secure. Key questions to consider include:
Has the cloud vendor demonstrated a long-standing track record and an unwavering commitment to serve the health care industry as a trusted data steward?
· Since its launch several years ago, Microsoft’s suite of cloud solutions has been deployed by hundreds of provider, payer, government, academic and commercial-HIPAA regulated customers. The fact that these prominent customers have chosen Microsoft as their cloud vendor is a testament to our long-term commitment to data stewardship, our privacy and compliance culture, our enterprise readiness and our ability to partner with the industry to address their toughest technology and compliance challenges.
Has the cloud vendor engineered their health cloud service from the ground up to protect health information, and does it consolidate a provider’s cloud strategy under a single BAA?
· Microsoft allows health organizations to move to the cloud at their own pace, and offers flexibility through its choice of hybrid, public or private cloud services.
· Our BAA is elastic. It covers a customer’s cloud requirements as their needs develop. This includes productivity, communication and collaboration capabilities as well as data and application hosting, data backup, archiving and disaster recovery.
Does the cloud vendor co-mingle consumer and enterprise cloud services or are they completely separate?
· Microsoft logically separates consumer and enterprise services, and makes a transparent commitment that it will not co-mingle services in its agreements. Microsoft believes that sensitive and personal health data might be at a greater risk for exposure in co-mingled cloud environments.
Does the vendor use data for advertising or other unauthorized secondary purposes?
· Microsoft is clear and transparent in its agreements that it will not use any customer data for secondary commercial purposes, such as marketing or advertising.
To learn more about how patient health data is shared in the cloud and why it’s important to keep it secure, check out this infographic. For more details about the University of Colorado Health’s migration to Office 365, the press release can be found here.
For further information regarding Microsoft’s commitments to cloud security, privacy and compliance transparency, see: http://trustoffice365.com/ and http://www.windowsazure.com/en-us/support/trust-center/.