Compliance in Microsoft Cloud for Healthcare

Microsoft Azure, Microsoft Dynamics 365, Microsoft 365, Microsoft Power Platform, and Microsoft Fabric services and their underlying infrastructure employ a security framework. This framework encompasses industry best practices and spans multiple standards, including the ISO 27000 family of standards, NIST 800, and others. As part of our comprehensive compliance offering, Microsoft regularly undergoes independent audits performed by qualified third-party accredited assessors.

The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. The CSF builds on HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act). It incorporates healthcare-specific security, privacy, and other regulatory requirements from existing frameworks such as the PCI (Payment Card Industry) DSS (Data Security Standard), ISO 27001, EU privacy laws and regulations, NIST, and MARS-E. HITRUST provides a benchmark - A standardized compliance framework, assessment, and certification process against which cloud service providers and covered health entities can measure compliance.

Microsoft is one of the first hyperscale cloud service providers to receive certification for the HITRUST CSF. HIPAA Business Associate Agreement (BAA) clarifies and limits how the business associate (Microsoft) can handle protected health information (PHI). It outlines more terms for each party related to the security and privacy provisions outlined in HIPAA and the HITECH Act. The BAA is automatically included as part of the Online Services Terms and applies to customers who are covered entities or business associates and are storing PHI.

The qualifying license terms for Microsoft 365/Office 365, Dynamics 365, Microsoft Power Platform, and Azure are found in the Online Service Terms and the Microsoft Privacy Statement.

Microsoft Cloud for Healthcare and Online Services (such as Office 365, Dynamics 365, Power Platform, Azure, and Microsoft Fabric) (together, "Microsoft Cloud for Healthcare"):

aren't intended or made available as medical devices.
aren't designed or intended to be used in the diagnosis, cure, mitigation, monitoring, treatment or prevention of a disease, condition or illness. No license or right is granted by Microsoft to use the online services for such purposes.
aren't designed or intended to be a substitute for professional medical advice, diagnosis, treatment, or judgment and shouldn't be used to replace or as a substitute for professional medical advice, diagnosis, treatment, or judgment. Customer shouldn't use Microsoft Cloud for Healthcare as a medical device. To the extent customer makes Microsoft Cloud for Healthcare available as a medical device, or puts it into service for such a use, customer is solely responsible for such use and acknowledges that it would be the legal manufacturer in respect of any such use. Customer is solely responsible for displaying and/or obtaining appropriate consents, warnings, disclaimers, and acknowledgments to end users of customer’s implementation of Microsoft Cloud for Healthcare. Customer is solely responsible for any use of Microsoft Cloud for Healthcare to collate, store, transmit, process, or present any data or information from any third-party products (including medical devices).

You can learn more about Microsoft’s commitments to data protection and privacy by visiting our Trust Center.

In-scope regulations for Microsoft services

Service	HITRUST	EU privacy laws and regulations	SOC 1	SOC 2	ISO 27017	ISO 27001
Azure Data Lake Storage Gen2	Yes	Yes	Yes	Yes	Yes	Yes
Azure AI Health Bot	Yes	Yes	Yes	Yes	Yes	Yes
Azure Health Data Services	Yes	Yes	Yes	Yes	Yes	Yes
Azure Healthcare APIs	Yes	Yes	Yes	Yes	Yes	Yes
Azure IoT Hub	Yes	Yes	Yes	Yes	Yes	Yes
Azure Synapse Analytics	Yes	Yes	Yes	Yes	Yes	Yes
Chat Add in for Dynamics 365 Customer Service (Omnichannel for Customer Service)	Yes	Yes	Yes	Yes	Yes	Yes
Customer Service Insights Add in for Microsoft Dynamics 365 Customer Service	Yes	Yes	Yes	Yes	Yes	Yes
Dataverse	Yes	Yes	Yes	Yes	Yes	Yes
Dynamics 365 Customer Insights - Data	Yes	Yes	Yes	Yes	Yes	Yes
Dynamics 365 Customer Insights - Journeys	Yes	Yes	Yes	Yes	Yes	Yes
Dynamics 365 Customer Service	Yes	Yes	Yes	Yes	Yes	Yes
Dynamics 365 Customer Voice	Yes	Yes	Yes	Yes	Yes	Yes
Dynamics 365 Field Service	Yes	Yes	Yes	Yes	Yes	Yes
Dynamics 365 Sales	Yes	Yes	Yes	Yes	Yes	Yes
Microsoft Purview	Yes	Yes	Yes	Yes	Yes	Yes
Microsoft Teams	Yes	Yes	Yes	Yes	Yes	Yes
Power Apps	Yes	Yes	Yes	Yes	Yes	Yes
Power Automate	Yes	Yes	Yes	Yes	Yes	Yes
Power BI	Yes	Yes	Yes	Yes	Yes	Yes

Healthcare data solutions in Microsoft Fabric (preview)

To review the compliance information for healthcare data solutions in Microsoft Fabric (preview), go to the Compliance section in healthcare data solutions (preview).

Healthcare data explorer in Microsoft Fabric (preview)

Related information

Service Trust Platform: Healthcare & Life Sciences
Microsoft Privacy: Where data is stored and located
Microsoft Fabric security fundamentals