by Ryan Ozawa
Article filed in
Does Microsoft Azure Offer HIPAA Compliant Web Hosting?
by Ryan Ozawa
When it comes to technology, few companies are as dominant as Microsoft. But the industry giant was actually late to the cloud services game, hitting the market with what was called Windows Azure in 2010 — eight years after Amazon Web Services (AWS) and right on the heels of the launch of the Google Cloud Platform (GCP).
But being first, or being the biggest, doesn’t mean a company is the best choice. It always comes down to how well their service offerings meet the needs of a particular business.
For covered entities, the top criteria in selecting any service provider is whether its offerings are HIPAA compliant, and whether it will sign a business associate agreement (BAA). Is Microsoft Azure an option for healthcare companies?
What is Microsoft Azure?
Known best for its Windows operating system and its Microsoft Office suite of business applications, Microsoft was content to dominate the desktop computer space for decades.
A few years into the 21st century, however, companies large and small were moving away from running their own hardware and toward hosting systems in the cloud.
Ecommerce giant Amazon had built a brisk side business offering Amazon Web Services, “a way of obtaining large scale computing capacity more quickly and cheaply than building an actual physical server farm.”
Search giant Google sensed the market opportunity, launching Google App Engine and Google Cloud in 2008. Microsoft finally joined the fray with Windows Azure in 2010, renaming it to Microsoft Azure four years later.
Today, Microsoft Azure has leapfrogged Google into second place, capturing 20 percent of the cloud computing space. But Amazon is still dominant, with a 32 percent market share.
Can you host websites with Microsoft Azure?
“Cloud computing” covers a very wide range of products and services, and can include a dizzying mix of hardware, operating systems, network configurations and assorted infrastructure. Fortunately, those options usually include hosting websites.
Just as you can use Google Cloud Web Hosting or AWS Web Hosting, Microsoft Azure also offers web hosting plans. And if you happen to use other Microsoft products and services (like Microsoft 365, Microsoft Exchange, or Microsoft Forms), there may be advantages to using it to host your website.
Is Microsoft Azure HIPAA compliant?
Fortunately, Microsoft’s dominant position across most industries means that the company has extensive experience serving healthcare organizations, and it provides extensive documentation related to compliance.
“Currently there is no official certification for HIPAA or HITECH Act compliance,” Microsoft explains. “However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.”
Even better, Microsoft has released an Azure Blueprint, an automated tool to help ensure HIPAA compliance. And there are healthcare case studies to illustrate why “industry leaders trust Azure to help them create the future of healthcare.”
Does Microsoft Azure offer HIPAA compliant web hosting?
We’ve previously covered making Microsoft Azure HIPAA compliant, including Microsoft’s offer to sign a BAA. The company also lists its HIPAA compliant services, including a guide to Microsoft Cloud for Healthcare.
Unfortunately, Microsoft doesn’t explicitly call out web hosting in its HIPAA documentation.
The Microsoft HIPAA HITRUST Blueprint provides a detailed guide to putting “governance guard-rails” in place, and “helps customers deploy a core set of policies for any Azure-deployed architecture that must implement HIPAA HITRUST 9.2 controls.” But it’s clear that beyond the signed BAA, all of the work required to ensure compliance must be performed, tested, and maintained by the customer.
Microsoft provides a great deal of resources related to HIPAA compliance for its Microsoft Azure cloud platform, which includes dozens of specific products and services for various industries. And it will also sign a BAA, which is required of any vendor working with a covered entity.
However, using Microsoft Azure to host a website is a complex endeavor, and Microsoft leaves the configuration, implementation, and maintenance up to the customer. While it’s fair to say Microsoft Azure can support HIPAA compliant websites, they are not compliant out of the box.
SEE ALSO: HIPAA Compliant Email