Skip to content
Microsoft Industry Blogs

In June, I highlighted work my colleague Elena Bonfiglioli, Senior Director, Health Industry Europe Middle East and Africa, Public Sector, was leading in the form of a health advisory council call to action for European leaders. Several pillars of that call to action related to updating and clarifying regulatory requirements, which our customers have said delay or impair their ability to deploy modern cloud and mobile based technologies. We made a commitment along with other members of the health advisory council, to share the concepts of the call to action (and a more detailed whitepaper) as we talked to policy makers and regulators around the world. We are thrilled to share some of the positive outcomes of those engagements.

In the United States, the Department of Health and Human Services, which oversees enforcement of the country’s Health Insurance Portability and Accountability Act (HIPAA), recently released a document “Guidance on HIPAA & Cloud Computing” which embraces two of the recommendations. The guidance leverages existing standards (for example, referencing the nearly universal NIST Definition of Cloud Computing) and it clarifies that HIPAA does not impose a “data localization” requirement (which would prohibit protected health information from leaving the US).

In France, long known for a complex approval process that must be followed prior to hosting PHI in the cloud, the government body for responsible for the process has just released for public consultation a draft of a significantly revised (and we think improved) process. The draft invokes increasingly common global standards, such as ISO 27001, and veers away from a cumbersome approval process toward a more pragmatic certification regime that will rely on existing third party audits to demonstrate compliance with various requirements.

Finally, in New Zealand, we engaged with the Ministry of Health to help shape guidance and create a more streamlined process for our health customers, resulting in an outcome where we could get across the board approval for hosting health information in our services for all customers, as opposed to requiring a separate approval for each customer.
We are delighted to see policy makers and regulators around the world taking on these pragmatic recommendations. We look forward to continuing to work with them to ensure customers and patients can get the benefits of modern cloud technologies, but also be assured that their sensitive information is being properly protected.