Other safeguard guidance
Microsoft Entra ID meets identity-related practice requirements for implementing Health Insurance Portability and Accountability Act of 1996 (HIPAA) safeguards. To be HIPAA compliant, it's the responsibility of companies to implement the safeguards using this guidance along with any other configurations or processes needed. This article contains guidance for achieving HIPAA compliance for the following three controls:
- Integrity Safeguard
- Person or Entity Authentication Safeguard
- Transmission Security Safeguard
Integrity safeguard guidance
Microsoft Entra ID meets identity-related practice requirements for implementing HIPAA safeguards. To be HIPAA compliant, implement the safeguards using this guidance along with any other configurations or processes needed.
For the Data Modification Safeguard:
Protect files and emails, across all devices.
Discover and classify sensitive data.
Encrypt documents and emails that contain sensitive or personal data.
The following content provides the guidance from HIPAA followed by a table with Microsoft's recommendations and guidance.
HIPAA - integrity
Implement security measures to ensure that electronically transmitted electronic protected health information isn't improperly modified without detection until disposed of.
Recommendation | Action |
---|---|
Enable Microsoft Purview Information Protection (IP) | Discover, classify, protect, and govern sensitive data, covering storage and data transmitted. Protecting your data through Microsoft Purview IP helps determine the data landscape, review the framework and take active steps to identify and protect your data. |
Configure Exchange In-place hold | Exchange online provides several settings to support eDiscovery. In-place hold uses specific parameters on what items should be held. The decision matrix can be based on keywords, senders, receipts, and dates. Microsoft Purview eDiscovery solutions is part of the Microsoft Purview compliance portal and covers all Microsoft 365 data sources. |
Configure Secure/Multipurpose Internet Mail extension on Exchange Online | S/MIME is a protocol that is used for sending digitally signed and encrypted messages. It's based on asymmetric key pairing, a public and private key. Exchange Online provides encryption and protection of the content of the email and signatures that verify the identity of the sender. |
Enable monitoring and logging. | Logging and monitoring are essential to securing an environment. The information is used to support investigations and help detect potential threats by identifying unusual patterns. Enable logging and monitoring of services to reduce the risk of unauthorized access. Microsoft Purview auditing provides visibility into audited activities across services in Microsoft 365. It helps investigations by increasing audit log retention. |
Person or entity authentication safeguard guidance
Microsoft Entra ID meets identity-related practice requirements for implementing HIPAA safeguards. To be HIPAA compliant, implement the safeguards using this guidance along with any other configurations or processes needed.
For the Audit and Person and Entity Safeguard:
Ensure that the end user claim is valid for data access.
Identify and mitigate any risks for data that is stored.
The following content provides the guidance from HIPAA followed by a table with Microsoft's recommendations and guidance.
HIPAA - person or entity authentication
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Ensure that users and devices that access ePHI data are authorized. You must ensure devices are compliant and actions are audited to flag risks to the data owners.
Recommendation | Action |
---|---|
Enable multifactor authentication | Microsoft Entra multifactor authentication protects identities by adding an extra layer of security. The extra layer provides an effective way to prevent unauthorized access. MFA enables the requirement of more validation of sign in credentials during the authentication process. Setting up the Authenticator app provides one-click verification, or you can configure Microsoft Entra passwordless configuration. |
Enable Conditional Access policies | Conditional Access policies help to restrict access to only approved applications. Microsoft Entra analyses signals from either the user, device, or the location to automate decisions and enforce organizational policies for access to resources and data. |
Set up device based Conditional Access Policy | Conditional Access with Microsoft Intune for device management and Microsoft Entra policies can use device status to either grant deny access to your services and data. By deploying device compliance policies, it determines if it meets security requirements to make decisions to either allow access to the resources or deny them. |
Use role-based access control (RBAC) | RBAC in Microsoft Entra ID provides security on an enterprise level, with separation of duties. Adjust and review permissions to protect confidentiality, privacy and access management to resources and sensitive data, with the systems. Microsoft Entra ID provides support for built-in roles, which is a fixed set of permissions that can't be modified. You can also create your own custom roles where you can add a preset list. |
Transmission security safeguard guidance
Microsoft Entra ID meets identity-related practice requirements for implementing HIPAA safeguards. To be HIPAA compliant, implement the safeguards using this guidance along with any other configurations or processes needed.
For encryption:
Protect data confidentiality.
Prevent data theft.
Prevent unauthorized access to PHI.
Ensure encryption level on data.
To protect transmission of PHI data:
Protect sharing of PHI data.
Protect access to PHI data.
Ensure data transmitted is encrypted.
The following content provides a list of the Audit and Transmission Security Safeguard guidance from the HIPAA guidance and Microsoft’s recommendations to enable you to meet the safeguard implementation requirements with Microsoft Entra ID.
HIPAA - encryption
Implement a mechanism to encrypt and decrypt electronic protected health information.
Ensure that ePHI data is encrypted and decrypted with the compliant encryption key/process.
Recommendation | Action |
---|---|
Review Microsoft 365 encryption points | Encryption with Microsoft Purview in Microsoft 365 is a highly secure environment that offers extensive protection in multiple layers: the physical data center, security, network, access, application, and data security. Review the encryption list and amend if more control is required. |
Review database encryption | Transparent data encryption adds a layer of security to help protect data at rest from unauthorized or offline access. It encrypts the database using AES encryption. Dynamic data masking for sensitive data, which limits sensitive data exposure. It masks the data to nonauthorized users. The masking includes designated fields, which you define in a database schema name, table name, and column name. New databases are encrypted by default, and the database encryption key is protected by a built-in server certificate. We recommend you review databases to ensure encryption is set on the data estate. |
Review Azure Encryption points | Azure encryption capability covers major areas from data at rest, encryption models, and key management using Azure Key Vault. Review the different encryption levels and how they match to scenarios within your organization. |
Assess data collection and retention governance | Microsoft Purview Data Lifecycle Management enables you to apply retention policies. Microsoft Purview Records Management enables you to apply retention labels. This strategy helps you gain visibility into assets across the entire data estate. This strategy also helps you safeguard and manage sensitive data across clouds, apps, and endpoints. Important: As noted in 45 CFR 164.316: Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for six years from the date of creation, or the date when it last was in effect, whichever is later. |
HIPAA - protect transmission of PHI data
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
Establish policies and procedures to protect data exchange that contains PHI data.
Recommendation | Action |
---|---|
Assess the state of on-premises applications | Microsoft Entra application proxy implementation publishes on-premises web applications externally and in a secure manner. Microsoft Entra application proxy enables you to securely publish an external URL endpoint into Azure. |
Enable multifactor authentication | Microsoft Entra multifactor authentication protects identities by adding a layer of security. Adding more layers of security is an effective way to prevent unauthorized access. MFA enables the requirement of more validation of sign in credentials during the authentication process. You can configure the Authenticator app to provide one-click verification or passwordless authentication. |
Enable Conditional Access policies for application access | Conditional Access policies helps to restrict access to approved applications. Microsoft Entra analyses signals from either the user, device, or the location to automate decisions and enforce organizational policies for access to resources and data. |
Review Exchange Online Protection (EOP) policies | Exchange Online spam and malware protection provides built-in malware and spam filtering. EOP protects inbound and outbound messages and is enabled by default. EOP services also provide anti-spoofing, quarantining messages, and the ability to report messages in Outlook. The policies can be customized to fit company-wide settings, these take precedence over the default policies. |
Configure sensitivity labels | Sensitivity labels from Microsoft Purview enable you to classify and protect your organizations data. The labels provide protection settings in documentation to containers. For example, the tool protects documents that are stored in Microsoft Teams and SharePoint sites, to set and enforce privacy settings. Extend labels to files and data assets such as SQL, Azure SQL, Azure Synapse, Azure Cosmos DB and AWS RDS. Beyond the 200 out-of-the-box sensitive info types, there are advanced classifiers such as names entities, trainable classifiers, and EDM to protect custom sensitive types. |
Assess whether a private connection is required to connect to services | Azure ExpressRoute creates private connections between cloud-based Azure datacenters and infrastructure that resides on-premises. Data isn't transferred over the public internet. The service uses layer 3 connectivity, connects the edge router, and provides dynamic scalability. |
Assess VPN requirements | VPN Gateway documentation connects an on-premises network to Azure through site-to-site, point-to-site, VNet-to-VNet and multisite VPN connection. The service supports hybrid work environments by providing secure data transit. |