HIPAA, HITECH and Storing Sensitive Data in the Cloud

Moving your business to the cloud has many benefits (like the ability to access your files anywhere and simplified business continuity in the case of a disaster) - but moving your business to the cloud can have severe consequences if you're dealing with sensitive data and move to the wrong platform or don't take employee training seriously.


The passage of the HITECH act in 2009 brought about very important changes relative to breaches of healthcare patient data, including:

  • Fines for losing unsecured electronic patient healthcare information
  • Notion of shared risk for companies that provide services (aka Business Associates) to a HIPAA covered entity
  • Use of data at rest encryption as a form of safe harbor from the breach notification requirements

The good news is that Office 365 is one of the few, if not only, cloud providers that will sign a Business Associate Agreement (BAA). A BAA is an agreement that a Business Associate (BA - any organization that provides services to a HIPAA covered entity that traffic in patient information) signs to share risk of a breach of patient information relative to the BA’s services. Microsoft will sign a BAA. Google, Dropbox and many others will not.

Office 365 certifications

Microsoft Office 365 complies with industry standard regulations, and is designed to help you meet regulatory requirements for your business. Currently, it holds the following industry certifications:

  • SAS 70 / SSAE16 Assessments
  • ISO 27001 certified
  • EU Model Clauses
  • EU Safe Harbor
  • HIPAA-Business Associate Agreement
  • FISMA Authority to Operate
  • Microsoft Data Processing Agreement
  • PCI DSS Level One

Office 365 is not, however, configured by default to meet regulatory compliance. To be clear, Using O365 does not, on its own, achieve HIPAA’s and other’s requirements. Meeting those requirements takes proper configuration and client training. It's important for organizations to realize that they, not Microsoft, are responsible for how the enterprise users consume Office 365.

Compliance and information safety

The good news is that out-of-the-box Office 365 is delivered with the options to configure to meet your compliance requirements. Exchange Online Protection (EOP) and Data Loss Prevention (DLP), Auditing, Mobile Device Management (MDM), amongst others, are included in already purchased plans and will help you be compliant (Includes K1, E1, E3, E4, Bus. Essentials, and Bus. Premium).

Securing Office 365 so that you can safely store sensitive information on the platform translates to encrypting the data, applying access controls, and auditing access to the data. With these three technical security controls in place, you’ll be in good shape to prove to auditors that you’re protecting your data as required by your compliance security requirements.

Security and compliance shouldn’t be a checkbox or an afterthought. They should be built right into the services and solutions your organization uses every day. Security and compliance are fundamental to Office 365, but making sure that those controls are configured properly to meet your organization’s specific security and compliance needs are crucial.

Related Posts

HIPAA Tips for Healthcare Orgs, Don't Get Fined!
- HIPAA violations are up and organizations found to be in violation are often given a tiere...
How To Protect Patient Data with Encrypted Email
- In a recent survey by MedData Group, 272 respondents examined the top security concerns am...