The security and privacy of patient health information ranks very high when we ask about the sensitivity level of information and the need to protect it. Over the years, we have been engaged in robust discussions with customers, regulators and policymakers to ensure we understand the requirements around the world for putting patient health information in the Microsoft cloud. Our work started in the US, where we were one of the first cloud providers to offer a HIPAA Business Associate Agreement (BAA) for our cloud services over seven years ago. Since then, we have continually updated our BAA to ensure we offer customers a clear understanding of how our cloud services enable them to meet their regulatory requirements with respect to the security and privacy of patient health information and how it is handled by them and by Microsoft. But we did not stop there, we endeavor to provide customers with regulatory “assurance” materials wherever we can find guidelines, standards or other requirements that we or our customers need to meet. In the UK, Microsoft has completed Level 2 of the NHS IG Toolkit Assessment for Azure, which enables healthcare customers in the UK to understand how we help them meet their overall obligations to safeguard the data of their patients.
We are now excited to announce that we have recently added a new compliance guide that helps customers in the Netherlands understand how Microsoft cloud services can help them meet their obligations to comply with a local health standard referred to as NEN 7510 “Information Security Management in Healthcare”. The model of the Netherlands is one that we find increasingly common, the healthcare provider as the steward of the patient’s information is ultimately responsible for being in compliance with local requirements, but the cloud provider plays an important role to the extent it handles patient information on behalf of the customer. We found it helpful to set out in detail for customers the NEN 7510 controls for which Microsoft is responsible as a cloud service provider and the certifications and audits that are relevant to those controls. This assurance documentation can be used by customers to understand where they will need to implement their own controls to ensure their compliance with NEN 7510.