With more than 15 years of expertise in securing Microsoft cloud solutions, the Project Hosts security team understands the exact control responses, technical implementations, and evidence that are required to demonstrate full SaaS compliance with the HIPAA and HITRUST standards for a healthcare environment built on Microsoft Azure.
Neither HIPAA nor its amendment (HITECH) have official compliance certifications by their governing bodies. Most organizations demonstrate HIPAA compliance by including HIPAA policies and evidence in annual third party assessments of a related standard that has an official certification. For example, Microsoft Azure includes HIPAA policies in their annual ISO 27001 audit, and AWS includes HIPAA policies in their annual FedRAMP (NIST 800-53) assessment. For the latter, NIST 800-66 provides guidance as to how to map HIPAA controls to NIST 800-53 controls.
HITRUST is an emerging standard, not only in the healthcare industry, but in the commercial space as a whole. HITRUST incorporates HIPAA requirements and the NIST framework in a more prescriptive manner. Like ISO 27001 and FedRAMP, HITRUST certifies third-party auditors who can then grant an official certification of compliance to an organization. In addition to third-party certifications, both HIPAA and HITRUST have self assessments that can be used to verify compliance with those standards.
SaaS-Level Azure Security Compliance Standards – HITRUST by Domain