Advertisement
If you use Microsoft 365 services (like Azure AD, Exchange Online, Teams, etc.) and you are using it to store or process health information, do you need to do anything to enter into a BAA with Microsoft?<\/p>\n
We are not a healthcare org, but we are starting to partner with them and will need to be HIPAA compliant and have a BAA in place with our 3rd party vendors.<\/p>\n
In doing a little research, I think (but am not sure) that a HIPAA BAA is triggered just by using a service that is covered by Microsoft’s “Products and Services Data Protection Addendum”, which is part of the terms of service you agree to when you subscribe to a service like Exchange Online for example. Then, if you store protected health information in a service covered by this addendum, automatically Microsoft’s BAA is entered into.<\/p>\n
So, there isn’t anything you actually need to sign or request. Is this an accurate understanding of how it works?<\/p>\n
Anyone who works with healthcare data and M365 could share some info?<\/p>\n
Thanks!<\/p>","upvoteCount":2,"answerCount":2,"datePublished":"2024-06-02T20:25:39.526Z","author":{"@type":"Person","name":"beta","url":"https://community.spiceworks.com/u/beta"},"suggestedAnswer":[{"@type":"Answer","text":"
If you use Microsoft 365 services (like Azure AD, Exchange Online, Teams, etc.) and you are using it to store or process health information, do you need to do anything to enter into a BAA with Microsoft?<\/p>\n
We are not a healthcare org, but we are starting to partner with them and will need to be HIPAA compliant and have a BAA in place with our 3rd party vendors.<\/p>\n
In doing a little research, I think (but am not sure) that a HIPAA BAA is triggered just by using a service that is covered by Microsoft’s “Products and Services Data Protection Addendum”, which is part of the terms of service you agree to when you subscribe to a service like Exchange Online for example. Then, if you store protected health information in a service covered by this addendum, automatically Microsoft’s BAA is entered into.<\/p>\n
So, there isn’t anything you actually need to sign or request. Is this an accurate understanding of how it works?<\/p>\n
Anyone who works with healthcare data and M365 could share some info?<\/p>\n
Thanks!<\/p>","upvoteCount":2,"datePublished":"2024-06-02T20:25:39.600Z","url":"https://community.spiceworks.com/t/microsoft-365-and-hipaa-baa-do-you-need-to-do-anything/1081922/1","author":{"@type":"Person","name":"beta","url":"https://community.spiceworks.com/u/beta"}},{"@type":"Answer","text":"
You are on the right track.<\/p>\n