Microsoft Updates Cloud Agreement For HIPAA Rules

Microsoft responds to new HIPAA regulations that make cloud service providers "business associates" of healthcare providers and health plans.
10 Mobile Health Apps From Uncle Sam
10 Mobile Health Apps From Uncle Sam
(click image for larger view and for slideshow)
Cloud service providers are starting to take notice of the new HIPAA security regulations that define them as "business associates" of HIPAA-covered entities such as healthcare providers and health plans. Microsoft has just announced a revised business associate agreement (BAA) for its cloud services that reflects the new HIPAA Omnibus Rule governing data security. Last week, Box, which offers another cloud storage and information sharing platform, made a similar announcement, claiming that its compliance with the latest HIPAA regs distinguishes it from most of its competitors.

Among other things, the HIPAA Omnibus Rule, which went into effect March 26, requires covered entities to sign BAAs with business associates that commit the latter to protect personal health information (PHI) when it's under their control. The business associates must also sign BAAs with subcontractors that have access to PHI. And business associates are directly accountable to the Office of Civil Rights in the Department of Health and Human Services for security breaches.

The definition of "business associate" has also changed, noted Hemant Pathak, assistant general counsel of Microsoft, in an interview with InformationWeek Healthcare. Now it includes firms that maintain and store PHI, such as cloud storage providers, as well as those that create, receive or transmit PHI.

[ Are your patients involved enough in their own care? Read 7 Portals Powering Patient Engagement. ]

Microsoft's new BAA applies to Office 365, Microsoft Dynamics CRM Online and Windows Azure Core Services. Microsoft HealthVault, the company's personal health record platform for consumers, has had its own BAA since 2009. That pact has also been upgraded in accordance with the Omnibus Rule, Pathak said.

Microsoft put a BAA in place for Office 365 in 2010 and subsequently offered it for its other cloud services. It developed the agreement in conjunction with a consortium of covered entities, including health insurer WellPoint and the academic medical centers of Duke University, the University of Iowa and Thomas Jefferson University, Pathak said. That initial BAA complied with the proposed HIPAA requirements embodied in the HITECH Act of 2009.

"All those customers told us, with HITECH coming online, that a BAA was a threshold minimum requirement to consider a subscription to a cloud service such as Office 365," Pathak said.

The first customer to sign the revised BAA was Johns Hopkins University, he noted. In addition, the Texas Department of Health and Human Services and the city of Chicago have already signed the agreement, he said.

Microsoft's strategy in offering a single BAA that covers all of its cloud services (HealthVault excepted) is to make life easier for its customers, said Dennis Schmuland, Microsoft' chief health strategy officer, U.S. health & life sciences, in an interview. "We're trying to simplify things for the customers and enable them to consolidate their cloud strategy under a single governance, risk and compliance framework," he said. "That allows them to have a BAA for multiple cloud offerings, whether they're for productivity, communications, collaboration, data hosting, application hosting or CRM. One business associate agreement serves all of those."

The new BAA has been designed to fit entities of every size, from a five-physician practice to a 50,000-user organization such as Advocate Healthcare in Chicago, Pathak said. While some customers have asked Microsoft to enter their own agreements, he said, the company insists that everyone sign its BAA.

"It's not really feasible and not scalable for us to manage that subscription service out of our data centers to each individual customer's requirements," he explained. "It has to be managed and delivered in a uniform process to all our subscribers."

Some healthcare providers have not asked cloud service providers to sign BAAs in the past, but any covered entities that fail to enter these agreements run a serious compliance risk, Pathak noted. Schmuland agreed. "We'll provide the protections, regardless, and we'll help them comply. But if they choose not to sign a BAA, they're at risk," he said.

Beyond the HIPAA security requirements, he added, Microsoft is also committed to protecting the privacy of PHI, both for covered entities and consumers. The company promises not to mine the data or use it for any secondary purposes, and it guarantees that it will not commingle data from one covered entity with that of any other entity that uses its cloud services.

Regulatory requirements dominate, our research shows. The challenge is to innovate with technology, not just dot the i's and cross the t's. Also in the new, all-digital The Right Health IT Priorities? issue of InformationWeek Healthcare: Real change takes much more than technology. (Free registration required.)