Top U.S. Universities trust Office 365 to place sensitive HIPAA data in the cloud

Can you keep a secret?

How about your cloud services provider?

It is a simple couple of questions. However, it takes thoughtful planning and the customer’s perspective to deliver enterprise-class, trustworthy solutions for the cloud. In education, protecting privacy cannot be an afterthought. Schools and universities do not want to trade the economy of the cloud for the privacy of their students and employees.

Privacy is a top-of-mind concern for our customers in the education segment. This is especially true when selecting a cloud services provider for student, faculty, and sometimes patient data. We have made a number of important business and engineering decisions that reflect our commitment that Office 365 will enable privacy by design for our education customers. Academic leaders can have confidence that moving to the cloud with Microsoft complies with current legislation and regulations to protect the privacy and security of sensitive data.

Today, we are proud to announce that Duke University, Emory University, Thomas Jefferson University, University of Iowa and the University of Washington and all of their associated medical schools are moving more than 188,000 faculty, staff and students to Microsoft’s cloud. They have signed on to Office 365 for education for many reasons, including the fact that  Microsoft continues to be the first and only major cloud service to address the rigors of the federal government’s HIPAA requirements and offer a business associates agreement (BAA) for cloud business productivity and collaboration applications .

Office 365 was built from the ground up with not only HIPAA compliance in mind, but also the most robust and comprehensive set of compliance accountabilities, certifications and standards options of any major cloud based productivity service. For example, in addition to HIPAA, Microsoft addresses Family Educational Rights in Privacy Act (FERPA) requirements within its Office 365 contractual documents. Microsoft chooses security and privacy by design in all of our products and services because we are in the business of providing solutions to help schools and enterprises run more efficiently, and assisting them with their regulatory compliance requirements. Office 365 does not scan customer email or documents for building analytics, data mining, or advertising because we respect their privacy, and understand applicable regulatory requirements. Quite simply, we are not in the business of using enterprise, school or student data to create an audience for advertisers.  We engineer our services to deliver this commitment and we stand behind it contractually, as our work behind the HIPAA BAA demonstrates.

It was a university group led by Duke, Iowa and the University of Chicago, along with input from Thomas Jefferson, that collaborated with Microsoft to draft the BAA, and really set the bar not only just for the academic community but for HIPAA covered entities in both the public and private sector throughout the United States. The BAA benefits not only other higher education institutions, but it is completely scalable whether you are a 4,000 bed hospital, whether you are a 4 million member health insurance plan, or anything in between in the academic, commercial or public sector healthcare space.  In fact, we protect all customer data, not just protected health information, with the same stringent security and privacy protocols.

One specific area worth noting in our work with the university group was related to the time period for notification in the event of a breach of their protected health information. We collaborated with the universities to drive a business resolution that exceeded the statutory notification requirements, based on expectations from a business associate that were actually greater than the statutory minimum.

Cloud services offer significant benefits to customers but also carry significant legal and compliance obligations.  When schools are handling sensitive student data, they need contractual reassurances for them to trust a technology vendor to move and manage their information in the cloud. We are honored and deeply value the opportunity to partner and collaborate with these top universities, to listen and share their ideas and suggestions to find a solution to address their business needs, assist with their regulatory requirements, and respect the privacy and security of their students, faculty, employees, and patient data.

Comments (2)

  1. Anthony says:

    About time! Good read.

    <a href="">My website</a>

  2. Father1234 says:

    Can the Security breaches ( published in Microsoft bullitins ) adversly affect HIPAA protected medical records in HealthVault and EHR companies like Allscripts etc ( Microsoft “Partners”) ?

Skip to main content