HIPAA Compliant


Too often, there’s a discussion that starts with

We want our Azure workload to be HIPAA certified !!

and too often the time that is spent discussing is

HIPAA is a law. There’s no certification available. You can be ‘compliant’ to the law.

Regardless, to simplify, HIPAA BAA has the following three (3) essential requirements:

  1. Be able to audit and trace all activity related to PHI/PII
  2. Encryption of PHI/PII data while at rest
  3. Encryption of PHI/PII while in transit

And the specifics of the law that need to be applied would be the HIPAA Security Rule

HIPAA Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164, specifically

  • Subtitle A – Health and Human Services
    • Section 164.308 – Administrative Safeguards
    • Section 164.310 – Physical Safeguards
    • Section 164.312 – Technical Safeguards
      • 164.312(b)(2) – Standard: Audit Controls Section 164.314 – Organizational Safeguards
    • Audit Controls  164.312(b)(2)
      • 164.312 (b)(2) Standard: Audit Controls
        • Implement hardware, software, and/or procedural mechanisms that *record and examine activity* in information systems that contain or use electronic protected health information.Subpart C – Security Standards for the Protection of Electronic Protected Health Information

If you are looking an implementation of the same, Checkout Azure Blueprint that’s jointly built by Microsoft and Avyan Corp (parent company of Cloudneeti) for Health Data and AI available here