The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law for American citizens and healthcare organizations, including those outside the US that handle US health data. This law requires the Secretary of the U.S. Department of Health and Human Services (HHS) to create regulations protecting the privacy and security of certain health information. 

Organizations handling potentially protected health information (ePHI) must comply with HIPAA. ePHI includes any electronically transmitted or stored individually identifiable health information. HIPAA consists of two key rules: 

• Privacy Rule: Establishes national standards for protecting certain health information. 

• Security Rule: Sets security standards for protecting electronic protected health information (ePHI). 

The security rule implements the protections of the privacy rule by outlining technical and non-technical measures that “covered entities” must take to safeguard ePHI. This summary highlights essential HIPAA elements to ensure compliance and protect processed health information. 

Microsoft 365 Certification verifies that ISVs have established protocols for managing health information, dealing with emergencies and service disruptions, and staff access to health information and training. Organizations are required to maintain and outline these administrative safeguards as part of their HIPAA security program. This is a necessary aspect of complying with HIPAA regulations. 

Certification ensures compliance with the security rule, including “covered entities” under the terms for confidentiality, integrity and availability as defined under § 164.304: 

• Confidentiality: “the property that data or information is not made available or disclosed to unauthorized persons or processes.” 

• Integrity: “the property that data or information have not been altered or destroyed in an unauthorized manner.” 

• Availability: “the property that data or information is accessible and useable upon demand by an authorized person.” 

ISVs must implement technical safeguards such as access, audit, integrity, and transmission controls within the IT infrastructure to ensure ePHI confidentiality while maintaining its integrity and availability to authorized users. 

Certification auditors will review configuration settings of the protection mechanisms used to ensure that ePHI data is secured in line with the control requirement. Such mechanisms can include access controls, emergency access procedures, RBAC, encryption etc. 

The Privacy Rule defines Protected Health Information (PHI) and prohibits its improper use and disclosure. Organizations must restrict e-PHI access to authorized personnel only and comply with the minimum necessary rule, using or disclosing only the least amount of e-PHI required for their purpose. 

To achieve certification, ISVs must demonstrate that their application protects against reasonably anticipated uses or disclosures of information not permitted by the privacy rule. Additionally, they must ensure their workforce complies with the security rule. Providing training to staff on how to handle e-PHI securely and appropriately. Data backup and disaster recovery plans should be established in accordance with HIPAA requirements specified under 164.308. 

Next steps 

To learn how Microsoft 365 Certification validates your application supports HIPAA regulations, visit the Microsoft 365 Certification control evidence requirements.  

To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.