Microsoft embeds HIPAA compliance into Office 365
Seeking to allay providers' privacy concerns and spur communication, Microsoft this week announced that its cloud productivity service, Microsoft Office 365, will comport with information security standards for customers in the U.S. and Europe.
As part of its contractual commitment to customers, officials say, Microsoft will now sign the EU’s model clauses, which will help customers certify compliance with the European Commission’s stringent Data Protection Directive, and will comply with the Health Insurance Portability and Accountability Act (HIPAA) in the U.S.
Officials say that with the new capabilities for Office 365 – which includes Exchange, SharePoint, Lync and Office – health organizations can more confifently implement technologies for communication tools such as IM, paging, video conferencing and document sharing, accessing information from any secure device.
[See also: GE, Microsoft launch new health IT company.]
"The economic advantages of cloud-based productivity solutions to drive down operational costs and complexity are well understood, but for most health organizations, HIPAA security and privacy concerns have been a show-stopping barrier to realizing the full anywhere, anytime productivity potential of cloud-based technologies," wrote Dennis Schmuland MD, Microsoft's chief health strategy officer for U.S. health & life sciences, in a blog post.
"[C]ommunication and collaboration is the lifeblood of the health industry and Office 365 makes it easier for people and teams to be efficient and productive anytime and anywhere," he added. "By embedding HIPAA privacy and security capabilities in Office 365, Microsoft is enabling health organizations to confidently empower their staff to communicate and collaborate anytime, anywhere and substantially lower their IT operating costs."
In February 2010, the EU released the model clauses to legitimize the transfer of personal data via international networks to locations outside the European Economic Area (EEA). When included in service agreements with data processors, the clauses assure customers that appropriate steps have been taken to help safeguard personal data, even if data is stored in a cloud-based service center located outside the EEA. European regulators have the option of requesting that customers halt the use of a service that hasn’t taken appropriate steps to safeguard personal data until they have evaluated the service and deemed it compliant with EU data protection and security standards.
Along with furnishing the model clause provisions, officials say, Microsoft has gone a step further to include a data-processing agreement for EU customers. Some of the 27 member states have more exacting requirements than those of the EU-wide Data Protection Directive. To streamline the use of cloud-based services for customers operating under additional compliance requirements, Microsoft has included with the model clause provisions a robust data-processing agreement that was developed in view of the specifics of member-state regulations.
“Developing cloud-based productivity tools that meet the needs of European businesses means more than simply building apps in a browser,” said Jean-Philippe Courtois, president, Microsoft International. “Microsoft has a more complete approach to European data protection and security laws than any other company, and we’re proud of the work we’ve done to ensure the widest range of organizations can move to the cloud with confidence — or choose an equally functional on-premises option.”
As the first major cloud-based productivity service to obtain certification under ISO/IEC 27001, a rigorous information security management benchmark, Microsoft submits to a yearly audit of its information security policy by an independent expert and shares the results with its customers, officials say. Additionally, the firm has developed its online services to provide physical, administrative and technical safeguards that facilitate full compliance with HIPAA requirements.