Prior to HIMSS 2011, I blogged about the 3 reasons for using a Managed Private Cloud for Interoperability. In that blog, I noted that in healthcare circles, cloud computing conjures up fears for protecting private healthcare information and security compliance concerns. In the last few weeks, Microsoft has introduced support for HIPAA compliance in their cloud platform called Windows Azure. Microsoft will work with healthcare customers to comply with their own specific requirements and put in place a comprehensive compliance framework to meet HIPAA guidelines and secure a BAA for storing healthcare data in the cloud. Microsoft is committed to providing Windows Azure customers with detailed information about their security compliance programs to help customers make their own regulatory assessments, but they opened the door for building a new class of healthcare applications in the Azure cloud.
HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Windows Azure, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft now offers Enterprise Agreement (volume licensing) customers a BAA as a contract addendum.
Microsoft Windows Azure offers the HIPAA BAA for the following core features:
* Cloud Services (Web and Worker roles)
* Storage (Tables, Blobs, Queues)
* Virtual Machines (Infrastructure-as-a-Service)
* Networking (Windows Azure Connect, Traffic Manager, and Virtual Network)
To read more of the specifics: http://www.windowsazure.com/en-us/support/trust-center/compliance/
As I noted in the earlier blog, the business case for cloud computing for healthcare includes cost reduction, the ability to scale, and better utilization of IT resources. One example of a cost savings with Windows Azure is the ability to set-up development and test environments for developing with Microsoft SQL Server for applications. If your organization wants to test drive or prototype, this new secure cloud is a good choice and can be rapidly implemented – no wait on new hardware or software.
Clearly, the best application for the use of a HIPAA compliant Azure cloud is system integration and interoperability. If your organization needs a clinical data repository shared across multiple care settings including hospitals, physician practices and skilled nursing facilities, Microsoft Azure is a good choice for a low cost place to store and share information to support that HIE goal. A simple SQL Server application that manages patients across multiple care settings for patient safety is also enabled by this secure environment. Another good idea is using Windows Azure for creating an enterprise view of regulatory reporting information by facility, enabling shared business intelligence and analysis. The connections to the various units of the organization from Windows Azure cloud would be secure, private and, yet, always available. The burden of the infrastructure provisioning and day-to-day management of the environments wouldn’t fall on the largest hospital or organizational unit.
In summary, the Microsoft should be congratulated on stepping up to the HIPAA compliance issue with Windows Azure and it should encourage other cloud vendors to consider what that means if they want healthcare customers. A highly secure cloud platform is a prime time idea for healthcare and due to its design can address the security, compliance and other cloud concerns while delivering cost reductions, the ability to scale, and better utilization of IT resources. Interoperability projects, especially HIEs, have a great affinity for the cloud computing model both technically and from a risk/reward perspective. In this drive to Accountable Care Organizations, a strong interoperability backbone will be a key to success.