Home
Join
check
  • I think this has it:

    https://docs.microsoft.com/en-us/azure/compliance/offerings/offering-hipaa-us

    Text
    For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each HIPAA/HITRUST control is associated with one or more Azure Policy definitions. 
    
    1 found this helpful thumb_up thumb_down
  • View Best Answer in replies below

    4 Replies

    • I think this has it:

      https://docs.microsoft.com/en-us/azure/compliance/offerings/offering-hipaa-us

      Text
      For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each HIPAA/HITRUST control is associated with one or more Azure Policy definitions. 
      
      1 found this helpful thumb_up thumb_down
    • Thanks, we saw that too but were just not sure if its adequate.

      Apparently AWS has a page that specifically says "BAA was effective on date .....". Thats what auditors accepted in the past, so I guess what we need to figure out is if we are looking for something like that, or with Microsoft, if its just a matter of saying we accepted the volume licensing agreement, we accepted the terms and condition - hence the BAA is executed.

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • My understanding is that it's referred to as an "implied BAA"

      In short, whoever asks, tell them you're on 365.

      2 found this helpful thumb_up thumb_down
    • Thanks Guys,
      We are likely just going to ask the auditors what they've required from other companies running azure.
      1 found this helpful thumb_up thumb_down

    Read these next...