"Is a hybrid cloud approach (keeping PHI on-prem while using Microsoft 365 for apps) a recommended and HIPAA-compliant strategy for hospitals moving toward EMRs?"

Question

We are a hospital and school organization that currently operates an on-premises infrastructure, including Exchange servers and all internal applications. Our CEO is interested in moving to the cloud, particularly Microsoft 365 for apps, and potentially shifting toward Electronic Medical Records (EMRs) in the future.

Our IT team is debating whether to adopt a hybrid cloud approach or remain fully on-prem. Some colleagues believe cloud and hybrid infrastructures are unsafe, while I believe hybrid is the best approach for scalability, security, and future compliance needs.

Since we must remain HIPAA-compliant, our biggest concerns are:

• Ensuring secure and compliant storage for Protected Health Information (PHI)
• How to safely integrate Microsoft 365 while keeping critical data on-prem
• Best practices for hybrid cloud security in a hospital environment
• Whether cloud-based EMRs (e.g., Epic on Azure) are secure and HIPAA-compliant

Key Questions:

1. Is hybrid cloud (Microsoft 365 for apps + on-prem PHI storage) a HIPAA-compliant and recommended strategy for hospitals transitioning to EMRs?
2. How do modern hospitals balance cloud adoption while keeping sensitive data on-prem?
3. What security best practices should we follow when moving hospital IT infrastructure to Microsoft 365 in a hybrid model?

Would love insights from healthcare IT professionals and organizations with similar setups. Any recommendations or best practices would be greatly appreciated!We are a hospital and school organization that currently operates an on-premises infrastructure, including Exchange servers and all internal applications. Our CEO is interested in moving to the cloud, particularly Microsoft 365 for apps, and potentially shifting toward Electronic Medical Records (EMRs) in the future.

Our IT team is debating whether to adopt a hybrid cloud approach or remain fully on-prem. Some colleagues believe cloud and hybrid infrastructures are unsafe, while I believe hybrid is the best approach for scalability, security, and future compliance needs.

Since we must remain HIPAA-compliant, our biggest concerns are:

• Ensuring secure and compliant storage for Protected Health Information (PHI)
• How to safely integrate Microsoft 365 while keeping critical data on-prem
• Best practices for hybrid cloud security in a hospital environment
• Whether cloud-based EMRs (e.g., Epic on Azure) are secure and HIPAA-compliant

Key Questions:

1. Is hybrid cloud (Microsoft 365 for apps + on-prem PHI storage) a HIPAA-compliant and recommended strategy for hospitals transitioning to EMRs?
2. How do modern hospitals balance cloud adoption while keeping sensitive data on-prem?
3. What security best practices should we follow when moving hospital IT infrastructure to Microsoft 365 in a hybrid model?

Would love insights from healthcare IT professionals and organizations with similar setups. Any recommendations or best practices would be greatly appreciated!

Answer 1

Hello, @Lashon Cortez,

Welcome to the Microsoft Q&A platform!

Moving to a hybrid cloud environment is a feasible and often recommended strategy for modern hospitals. Here are my insights to your questions from Exchange aspect.

1.Is hybrid cloud (Microsoft 365 for apps + on-prem PHI storage) a HIPAA-compliant and recommended strategy for hospitals transitioning to EMRs?

Yes, a hybrid cloud approach can be HIPAA-compliant and is often recommended for hospitals. This strategy allows you to leverage the scalability and flexibility of cloud services like Microsoft 365 while keeping sensitive PHI on-premises. This setup can help you meet HIPAA requirements by ensuring that PHI is stored securely, and access is controlled.

2.How do modern hospitals balance cloud adoption while keeping sensitive data on-prem?

a. Classify data based on sensitivity. Non-critical data can be moved to the cloud, while Protected Health Information (PHI) remains on-premises.

b. Implement robust access controls and identity management solutions, such as Azure Active Directory, to ensure only authorized personnel can access sensitive information.

c. Utilize tools like Azure Arc, which allow you to manage your on-premises and cloud environments seamlessly.

d. Regularly audit your systems to ensure compliance with HIPAA and other relevant regulations.

3.What security best practices should we follow when moving hospital IT infrastructure to Microsoft 365 in a hybrid model?

a. Ensure data is encrypted both in transit and at rest. Microsoft 365 offers built-in encryption, and additional layers can be applied as needed.

b. Implement MFA to add an extra layer of security for user access.

c. Utilize DLP policies to protect sensitive information from being accidentally shared or leaked.

d. Keep all systems, both on-premises and in the cloud, updated with the latest security patches.

e. Implement robust backup and disaster recovery plans to ensure data integrity and availability.

f. Utilize Microsoft’s compliance tools, such as Microsoft Purview, to manage and monitor data compliance.

4.Are cloud-based EMRs (e.g., Epic on Azure) secure and HIPAA-compliant?

Yes, many cloud-based EMR solutions, including Epic on Azure, are designed to be HIPAA-compliant. These platforms offer robust security features, including encryption, access controls, and regular compliance audits. However, it's crucial to work closely with your cloud provider to ensure that all configurations meet HIPAA requirements.

5.Suggestions and best practices

a. Work with a healthcare IT professional who has experience with hybrid cloud implementations.

b. Perform a comprehensive risk assessment to identify potential vulnerabilities and compliance gaps in your current setup and planned cloud transition.

c. Provide staff training on best practices for data security and compliance in hybrid environments.

d. Start with a pilot project to test the hybrid model and resolve any issues before full rollout.

e. Select a cloud vendor with a proven track record of healthcare and HIPAA compliance.

f. Perform a comprehensive risk assessment to identify potential vulnerabilities and compliance gaps in the current setup and planned cloud transition.

By following these best practices and leveraging the capabilities of Microsoft 365 and Azure, you can achieve a secure, scalable, and HIPAA-compliant hybrid cloud environment for your hospital.

Should you need more help on this, you can feel free to post back. 

---

If the answer is helpful, please click on “Accept answer” as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

Thank you for your support and understanding.

Best Wishes,

Alex Zhang

Answer 2

Hi Alex,

Thank you for your detailed response! Your insights were extremely helpful in understanding best practices for hospitals moving to a hybrid cloud environment while staying HIPAA-compliant.

I appreciate the recommendations on data classification, encryption, MFA, DLP, and risk assessments. We will explore Azure Arc and Microsoft Purview to manage our hybrid environment effectively.

Follow-Up Questions:

1. Hybrid Exchange & Outlook 365 – If we keep Exchange mailboxes on-prem but use Microsoft 365 apps, can we still access Outlook fully via Microsoft 365? Any potential limitations?
2. Hybrid Identity Management – We currently use on-prem AD. Would you recommend full AAD integration or just selective synchronization for a hybrid model?
3. HIPAA & Vendor Security Audits – When using Epic on Azure or other cloud-based EMRs, do hospitals usually conduct third-party security audits, or does Microsoft handle all compliance monitoring?
4. Risk Assessments & Compliance – Is there a specific Microsoft tool you’d recommend for running HIPAA risk assessments on a hybrid cloud setup?

Thanks again for your support!

Best, Lashon Cortez