Azure HIPAA Compliance: Complete Guide to BAA & Eligible Services

Building a HIPAA-compliant healthcare application on Microsoft Azure? You need to understand Azure's BAA coverage, which services are HIPAA-eligible, and how to architect for compliance.

This guide is based on our experience deploying 40+ HIPAA-compliant applications on Azure for healthcare providers, health tech startups, and medical device companies.

What is Azure HIPAA Compliance?

Microsoft Azure offers HIPAA compliance through its Business Associate Agreement (BAA), which is included in the Microsoft Online Services Terms. When you store or process Protected Health Information (PHI) on Azure, you need:

• BAA coverage through your Azure agreement (EA, CSP, or MOSP)
• HIPAA-eligible services only for PHI workloads
• Proper security controls (encryption, access controls, audit logging)
• Backup and disaster recovery for data availability

Azure's BAA covers most services, making it one of the most comprehensive cloud platforms for HIPAA compliance.

How Azure BAA Coverage Works

Unlike AWS (which requires signing through AWS Artifact), Azure's BAA is automatically included in your Microsoft Online Services Terms when you have an Enterprise Agreement (EA), Cloud Solution Provider (CSP), or Microsoft Online Subscription Program (MOSP) agreement.

Step 1: Review Online Services Terms

The BAA is part of the Microsoft Online Services Terms (OST). You can review it at: Microsoft DPA

Step 2: Ensure You Have the Right Agreement Type

BAA coverage requires one of these agreement types:

• Enterprise Agreement (EA): For large organizations
• Cloud Solution Provider (CSP): Through a Microsoft partner
• Microsoft Online Subscription Program (MOSP): Pay-as-you-go with BAA addendum

Step 3: Enable HIPAA-Eligible Services

Not all Azure services are HIPAA-eligible. Before storing PHI, verify the service is on the eligible list.

Step 4: Configure Azure Policy for HIPAA

Azure Policy can automatically enforce HIPAA compliance requirements:

• Go to Azure Policy → Definitions
• Search for "HIPAA HITRUST"
• Assign the HIPAA HITRUST 9.2 policy to your subscription
• Review compliance status regularly

Step 5: Document Your BAA Coverage

Maintain records of:

• Your Azure agreement type and BAA acceptance date
• List of Azure services used with PHI
• Security controls implemented
• Audit logs and compliance reports

Step 6: Conduct Regular Compliance Reviews

Review your Azure environment quarterly to ensure:

• All services with PHI are HIPAA-eligible
• Security controls are properly configured
• Audit logs are being retained
• Backups are working and tested

Azure HIPAA-Eligible Services

Most Azure services are HIPAA-eligible. Here are the most commonly used for healthcare applications:

Compute Services

• Azure Virtual Machines: Windows and Linux VMs with disk encryption
• Azure Functions: Serverless compute for PHI processing
• Azure Kubernetes Service (AKS): Managed Kubernetes with security controls
• Azure Container Instances: Serverless containers
• Azure Batch: Large-scale parallel processing

Storage Services

• Azure Blob Storage: Object storage with encryption and immutability
• Azure Files: Managed file shares
• Azure Disk Storage: Persistent disks for VMs
• Azure Data Lake Storage: Big data analytics storage

Database Services

• Azure SQL Database: Managed SQL with TDE and Always Encrypted
• Azure Database for PostgreSQL/MySQL: Managed open-source databases
• Azure Cosmos DB: Globally distributed NoSQL database
• Azure Cache for Redis: In-memory cache

Healthcare-Specific Services

• Azure Health Data Services: FHIR, DICOM, and MedTech services (purpose-built for healthcare)
• Azure API for FHIR: Managed FHIR server
• Text Analytics for Health: NLP for medical text

Security & Compliance Services

• Azure Key Vault: Key and secret management
• Azure Monitor: Comprehensive monitoring and logging
• Azure Security Center: Unified security management
• Azure Sentinel: Cloud-native SIEM
• Azure Policy: Compliance enforcement
• Azure Private Link: Private connectivity to Azure services

Backup & Disaster Recovery

• Azure Backup: Centralized backup for VMs, databases, and files
• Azure Site Recovery: Disaster recovery and business continuity

Full list: Azure HIPAA Compliance Documentation

Azure HIPAA Backup Strategies

One of the most critical HIPAA requirements is data availability and disaster recovery. Azure offers comprehensive backup solutions:

1. Azure Backup for Virtual Machines

What it does: Automated VM backups with application-consistent snapshots

HIPAA benefits:

• Encryption at rest and in transit
• Retention policies (7 years for HIPAA)
• Geo-redundant storage for disaster recovery
• Point-in-time restore
• Soft delete to prevent accidental deletion

Cost: $10-20/VM/month + storage costs

2. Azure SQL Database Automated Backups

What it does: Automatic full, differential, and transaction log backups

HIPAA benefits:

• Point-in-time restore (7-35 days)
• Long-term retention (up to 10 years)
• Geo-redundant backup storage
• Encrypted backups
• No manual intervention required

Cost: Included in SQL Database pricing + LTR storage costs

3. Blob Storage Versioning and Immutability

What it does: Immutable storage with legal hold and time-based retention

HIPAA benefits:

• Prevents deletion or modification of PHI
• Compliance with retention requirements
• Versioning for accidental overwrites
• Soft delete for recovery

Cost: Standard storage rates + versioning overhead

4. Azure Site Recovery for Disaster Recovery

What it does: Continuous replication to secondary region

HIPAA benefits:

• RPO (Recovery Point Objective) < 5 minutes
• RTO (Recovery Time Objective) < 2 hours
• Automated failover and failback
• Disaster recovery drills without impacting production

Cost: $25/VM/month + storage costs

5. Geo-Redundant Storage (GRS)

What it does: Replicates data to secondary region (hundreds of miles away)

HIPAA benefits:

• Protection against regional disasters
• 99.99999999999999% (16 9's) durability
• Read access to secondary region (RA-GRS)

Cost: 2x storage costs vs locally redundant storage

6. Azure Backup Vault with RBAC

What it does: Centralized backup management with role-based access control

HIPAA benefits:

• Centralized backup policies across resources
• RBAC for backup administrators
• Encryption with customer-managed keys
• Compliance reporting

Cost: Based on protected instances and storage

Azure HIPAA Architecture Best Practices

1. Use Azure Private Link for Private Connectivity

Azure Private Link provides private connectivity to Azure services over the Microsoft backbone network, eliminating exposure to the public internet.

2. Enable Encryption at Rest with Customer-Managed Keys

Use Azure Key Vault with customer-managed keys (CMK) for:

• Azure Storage encryption
• SQL Database Transparent Data Encryption (TDE)
• Cosmos DB encryption
• Disk encryption

3. Enable Encryption in Transit (TLS 1.2+)

Enforce TLS 1.2 or higher for all services:

• Azure Storage: Set minimum TLS version to 1.2
• SQL Database: Enforce SSL connections
• Application Gateway: Use TLS 1.2+ listeners

4. Implement Azure AD with Conditional Access

Use Azure Active Directory for identity management:

• Multi-factor authentication (MFA) for all users
• Conditional access policies (IP restrictions, device compliance)
• Privileged Identity Management (PIM) for just-in-time access
• Azure AD B2C for patient portals

5. Enable Azure Monitor for Comprehensive Logging

HIPAA requires audit logs of all PHI access:

• Enable diagnostic settings for all resources
• Send logs to Log Analytics workspace
• Retain logs for 7 years (HIPAA requirement)
• Set up alerts for suspicious activity

6. Use Azure Policy for Compliance Enforcement

Azure Policy can automatically enforce HIPAA requirements:

• Require encryption for storage accounts
• Require TLS 1.2+ for all services
• Require diagnostic logging
• Prevent public IP addresses on VMs
• Require network security groups

7. Enable Azure Backup with Geo-Redundancy

Set up automated backups with:

• Geo-redundant storage (GRS)
• 7-year retention for HIPAA compliance
• Quarterly restore testing
• Soft delete enabled

8. Implement Network Security Groups (NSGs)

Use NSGs to control traffic:

• Deny all inbound traffic by default
• Allow only necessary ports (443 for HTTPS)
• Use application security groups for role-based access
• Enable NSG flow logs for audit trails

9. Use Azure Security Center for Threat Protection

Azure Security Center provides:

• Security recommendations
• Threat detection
• Compliance dashboard (HIPAA HITRUST)
• Just-in-time VM access
• File integrity monitoring

10. Enable Azure Sentinel for SIEM

Azure Sentinel provides cloud-native SIEM:

• Collect logs from all Azure resources
• Detect threats with machine learning
• Investigate incidents
• Automate response with playbooks

Azure HIPAA Cost Estimates

Here's what a typical HIPAA-compliant application costs on Azure (small-to-medium healthcare startup):

Service	Configuration	Monthly Cost
Virtual Machine	D2s v3 (2 vCPU, 8GB RAM)	$70-100
SQL Database	S2 (50 DTUs)	$75-100
Blob Storage	1TB Hot tier with GRS	$18
Azure Backup	1 VM + 100GB storage	$10
Key Vault	10k operations/month	$0.03
Azure Monitor	5GB logs/month	$11.50
Security Center	Standard tier (1 VM)	$15
Networking	VNet, NSG, Private Link	$20-30
Total		$250-450/month

Scaling costs:

• 10,000 users: $600-1,000/month
• 100,000 users: $3,000-7,000/month
• 1M+ users: $15,000-60,000/month

Azure HIPAA Implementation Timeline

Week 1-2: Planning & BAA

• Review Azure BAA coverage in Online Services Terms
• Design architecture (VNet, subnets, NSGs)
• Select HIPAA-eligible services
• Document data flows and PHI storage
• Create Azure AD roles and policies

Week 3-4: Infrastructure Setup

• Create VNet with subnets
• Set up encryption (Key Vault, storage encryption, SQL TDE)
• Configure Azure AD and conditional access
• Enable Azure Monitor and diagnostic logging
• Set up Private Link for services
• Configure NSGs and application security groups

Week 5-6: Application Deployment

• Deploy application to VMs/AKS/Functions
• Configure SQL Database with SSL enforcement
• Set up Application Gateway with HTTPS
• Configure Azure Monitor alerts
• Set up Azure Backup policies
• Test disaster recovery with Site Recovery

Week 7-8: Security & Compliance

• Assign Azure Policy for HIPAA HITRUST
• Review compliance dashboard
• Conduct security assessment
• Document all security controls
• Create incident response plan
• Train team on HIPAA requirements

Common Azure HIPAA Mistakes to Avoid

1. Not Enabling Diagnostic Logging

HIPAA requires audit logs. Enable diagnostic settings for ALL resources and send logs to Log Analytics workspace.

2. Using Public IP Addresses on VMs

VMs with PHI should never have public IPs. Use Azure Bastion or VPN for administrative access.

3. Not Testing Backups

We've seen companies with Azure Backup enabled but never tested restore. Test quarterly.

4. Forgetting About Retention Policies

Set Log Analytics retention to 7 years for HIPAA compliance. Default is 30 days.

5. Not Using Customer-Managed Keys

While Microsoft-managed keys are HIPAA-compliant, customer-managed keys (CMK) give you more control and are preferred for sensitive PHI.

Need Help with Azure HIPAA Compliance?

We've deployed 40+ HIPAA-compliant applications on Azure for healthcare providers and health tech startups. Our team can help you:

• Design HIPAA-compliant Azure architecture
• Implement security controls and backup strategies
• Set up Azure Policy for compliance enforcement
• Configure Azure Monitor and Sentinel for SIEM
• Conduct security assessments
• Prepare for HIPAA audits

Get expert help with Azure HIPAA compliance - free 30-minute consultation.

Related Resources:

• Azure HIPAA Compliance Landing Page
• Compare AWS vs Azure vs GCP for HIPAA
• HIPAA Security Rule Assessment Hub

Written by the compliance team at Tranquility Cybersecurity & Assurance. We've helped 200+ companies achieve HIPAA compliance on AWS, Azure, and GCP.