HIPAA compliant on Azure cloud?

Question

We are using WebRoles to host our api, Table storage to persist PHI and Blob Storage to persist MRIs and CT images.

What is required to become HIPAA Compliant?

-- Edit 2014-02-17 --

I just want to know where to start

Answer 1

You need to start with understanding your obligations under HIPAA and HITECH. After that, you can read Windows Azure HIPAA Implementation Guidance. You should also refer to 19006 Federal Register /Vol. 74, No. 79, Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information , which delineates certain other documents that pertain.

FIPS 140-2 Annex A algorithms (exclusively - 3-key TripleDES, AES (any length), SHA-1 and SHA-2 (any length), and RSA only, unless you really like Skipjack) are a bare minimum. NIST SP 800-131A offers additional guidance (which boils down to: no more SHA-1, no more RSA less than 2048 bits, no more DSA with a |p| less than 2048 bits or a |q| less than 224 bits).

You should also find a consultant who is an expert in both HIPAA and HITECH, as well as whatever other regulations cover what you're doing. Highly regulated areas like PHI storage are not places to wander into lightly or blindly.