{"id":24081,"date":"2025-04-24T07:55:14","date_gmt":"2025-04-24T14:55:14","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/?p=24081"},"modified":"2025-04-22T08:12:50","modified_gmt":"2025-04-22T15:12:50","slug":"microsoft-365-certification-control-spotlight-hipaa","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/microsoft-365-certification-control-spotlight-hipaa\/","title":{"rendered":"Microsoft 365 Certification control spotlight: HIPAA"},"content":{"rendered":"<p><span data-contrast=\"auto\">The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law for American citizens and healthcare organizations, including those outside the US that handle US health data. This law requires the Secretary of the U.S. Department of Health and Human Services (HHS) to create regulations protecting the privacy and security of certain health information.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Organizations handling potentially protected health information (ePHI) must comply with HIPAA. ePHI includes any electronically transmitted or stored individually identifiable health information. HIPAA consists of two key rules:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Privacy Rule: Establishes national standards for protecting certain health information.<\/span><span data-ccp-props=\"{&quot;335559685&quot;:600}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Security Rule: Sets security standards for protecting electronic protected health information (ePHI).<\/span><span data-ccp-props=\"{&quot;335559685&quot;:600}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">The\u00a0security\u00a0rule implements the protections of the\u00a0privacy\u00a0rule by outlining technical and non-technical measures that \u201ccovered entities\u201d must take to safeguard ePHI. This summary highlights essential HIPAA elements to ensure compliance and protect processed health information.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Microsoft 365 Certification verifies that ISVs have established protocols for managing health information, dealing with emergencies and service disruptions, and staff access to health information and training. Organizations are required to maintain and outline these administrative safeguards as part of their HIPAA security program. This is a necessary aspect of complying with HIPAA regulations.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Certification\u00a0ensures\u00a0compliance with the\u00a0security\u00a0rule,\u00a0including\u00a0\u201ccovered entities\u201d\u00a0under\u00a0the terms for confidentiality, integrity and availability\u00a0as\u00a0defined under \u00a7 164.304:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"8\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;multilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Confidentiality: \u201cthe property that data or information is not made available or disclosed to unauthorized persons or processes.\u201d<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"8\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;multilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Integrity: \u201cthe property that data or information have not been altered or destroyed in an unauthorized manner.\u201d<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"8\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;multilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">Availability: \u201cthe property that data or information is accessible and useable upon demand by an authorized person.\u201d<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">ISVs must\u00a0implement technical safeguards such as access, audit, integrity, and transmission controls within the IT infrastructure to ensure ePHI confidentiality while maintaining its integrity and availability to authorized users.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Certification auditors will review\u00a0configuration settings of the protection mechanisms used to ensure that ePHI data is secured in line with the control requirement. Such mechanisms can include access controls, emergency access procedures, RBAC, encryption etc.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The Privacy Rule defines Protected Health Information (PHI) and prohibits its improper use and disclosure. Organizations must restrict e-PHI access to authorized personnel only and comply with the minimum necessary rule, using or disclosing only the least amount of e-PHI required for their purpose.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">To achieve certification, ISVs must demonstrate that their application protects against reasonably anticipated uses or disclosures of information not permitted by the privacy rule. Additionally, they must ensure their workforce complies with the security rule.\u00a0Providing\u00a0training to staff on how to handle e-PHI securely and appropriately.\u00a0Data backup and disaster recovery plans should be established in accordance with HIPAA requirements specified under 164.308.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Next steps<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">To learn how Microsoft 365 Certification validates your application supports\u00a0HIPAA regulations, visit the Microsoft 365 Certification control\u00a0<\/span><a href=\"https:\/\/learn.microsoft.com\/microsoft-365-app-certification\/docs\/seg2_data#hipaa-health-insurance-portability-and-accountability-act\"><span data-contrast=\"none\">evidence requirements<\/span><\/a><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">To start certification, go to the Microsoft Partner Center\u00a0<\/span><a href=\"https:\/\/partner.microsoft.com\/dashboard\/\"><span data-contrast=\"none\">dashboard<\/span><\/a><span data-contrast=\"auto\">, select an app from\u00a0<\/span><b><span data-contrast=\"auto\">Marketplace\u00a0offers<\/span><\/b><span data-contrast=\"auto\">\u00a0overview, and select\u00a0<\/span><b><span data-contrast=\"auto\">App Compliance<\/span><\/b><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn how Microsoft 365 Certification verifies that ISVs have established protocols for managing health information, dealing with emergencies and service disruptions, and complying with key HIPAA regulations.<\/p>\n","protected":false},"author":139790,"featured_media":24083,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[297,30],"class_list":["post-24081","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-365-developer","tag-microsoft-365-app-certification","tag-microsoft-365-certification"],"acf":[],"blog_post_summary":"<p>Learn how Microsoft 365 Certification verifies that ISVs have established protocols for managing health information, dealing with emergencies and service disruptions, and complying with key HIPAA regulations.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/24081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/139790"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=24081"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/24081\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/24083"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=24081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=24081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=24081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}