Microsoft Purview - Compliance Score (Part 4) - HIPAA / HITECH
Published Oct 11 2022 12:11 PM 1,253 Views
Microsoft

markus-winkler-UsG7z9TAZdc-unsplash.jpg

 

Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:

 

Microsoft Purview - Compliance Score (Part 1) - Overview

 

 

Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

 

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

 

Target Audience

This blog series is aimed at Security and Compliance officers who need to understand how the Microsoft Purview Compliance Manager assessments can help them meet their regulatory and certification needs.

 

Document Scope

This document will only be discussing the assessment specific to Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) and which Purview components are needed to meet those requirements in the assessment and its associated regulations.

 

Out-of-Scope

This document does not cover any other aspect of Microsoft E5 Purview, including:

  • Compliance Manager (configuration)
  • Data Classification
  • Information Protection
  • Data Protection Loss (DLP) for Exchange, OneDrive, Devices
  • Data Lifecycle Management (retention and disposal)
  • Records Management (retention and disposal)
  • eDiscovery
  • Insider Risk Management (IRM)
  • Priva
  • Advanced Audit
  • Microsoft Cloud App Security (MCAS)
  • Information Barriers
  • Communications Compliance
  • Licensing

For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner.

 

We will not be walking through the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) assessment step-by-step.  For more information on running an assessment in Compliance Manager, you should reference the corresponding documentation listed in the Appendix and Links section below.

 

Overview of Document

We will be walking through how the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) assessment can be leveraged to meet HIPAA / HITECH regulations and provide quantifiable results for meeting those regulations.

  • What are the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)?
  • What is the Compliance Manager Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) assessment?
  • Process of taking assessment information and score and narrowing to Purview related solutions
  • HIPAA / HITECH assessment details (Control Family, Purview relevant solutions breakdown and Purview Compliance Score)

 

Use Case

Looking at a Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) assessment at a high level

 

 

Definitions

  • Actions– the things that need to be done to mark a Control as completed and
  • Assessments – these help you implement data protection controls specified by compliance, security, privacy, and data protection standards, regulations, and laws. Assessments include actions that have been taken by Microsoft to protect your data, and they're completed when you take action to implement the controls included in the assessment.
  • Assessment Templates – these templates track compliance with over 300 industry and government regulations around the world.
  • Compliance Score - Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture.  You receive an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.
  • Controls – the various requirements in your tenant that must be met to meet a part of an assessment
  • Control Family – a grouping of Controls
  • Microsoft Actions – These are actions that Microsoft has performed inside of your tenant to help it meet a specific assessment.
  • Progress – each assessment has a progress chart to help you visualize the progress you are making to meet the requirements of the assessment
  • Your Improvement Actions – These are actions that you and your organization must perform to meet a specific assessment.

 

 

Notes

It is highly recommended that you run your own Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) assessment to see the following information in your own Tenant.

 

 

Pre-requisites

It is highly recommended that you run your own Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) assessment to see the following information in your own Tenant.

 

 

What are HIPAA / HITECH?

Here is the definition listed in Microsoft Purview Compliance Manager.

 

 

“The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) mandate a set of federal requirements for protecting electronic Protected Health Information (ePHI) for U.S. healthcare institutions."

 

 

You can also find more information at the HIPAA / HITECH official website, listed in the Appendix and Links section below.

 

 

What is the Compliance Manager HIPAA / HITECH assessment?

This is the official Microsoft tool that scans your tenant and compares it to the HIPAA / HITECH It then provides a report and workflow on how to meet these acts.

 

Narrowing HIPAA / HITECH to applicable Purview tools

 

We narrow the scope of from All HIPAA / HITECH Control Families (9x) the Assessment runs to just the Compliance applicable HIPAA / HITECH Control Families (5x).  Then we can take those tactical Control Families and leverage the applicable Microsoft Purview tools that, when applied, can help you meet these Control Families. 

 

  • Here is one way to view this
    • All Control Families (9x) -> Compliance applicable Control Families (5x) -> applicable Microsoft Purview tools

 

  • This graphic shows another way to visualize this.

 

James_Havens_0-1664340518530.png

 

 

 

HIPAA / HITECH Assessment details

Let us look at the details of the HIPAA / HITECH assessment as they related to Microsoft Compliance Purview solutions and your Compliance Score for your Microsoft tenant.

 

All Control Families (9x)

The HIPAA / HITECH assessment will report back on ALL the Control Families that are part of the HIPAA / HITECH regulations.

 

James_Havens_1-1664340518535.png

 

 

 

Compliance applicable All Control Families (5x)

From a Purview perspective, here are the 5 Control Families that are applicable to HIPAA / HITECH workloads.

 

 

James_Havens_2-1664340518541.png

 

 

 

Relevant Purview Solutions (10x)

Now that you know which Control Families are relevant to HIPAA / HITECH, here are the Purview solutions that are part will help you meet those regulatory needs.

 

 

James_Havens_3-1664340518550.png

 

 

 

Purview Compliance Score

Let us look at a diagram the HIPAA / HITECH assessment’s points that it applies 1) HIPAA / HITECH Controls overall, 2) points that can specifically be addressed by Purview related tools, and 3) then the percentage of the HIPAA / HITECH assessment points covered by implementing the Purview tools.

 

James_Havens_4-1664340518556.png

 

 

 

Appendix and Links

HIPAA for Professionals | HHS.gov

 

HITECH Act Enforcement Interim Final Rule | HHS.gov

 

Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs

 

Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community

 

Compliance score calculation - Microsoft Purview (compliance) | Microsoft Learn

 

Working with improvement actions in Microsoft Purview Compliance Manager - Microsoft Purview (compli...

 

 

 

 

 

 

Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such.  Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.

 

 

 

 

Co-Authors
Version history
Last update:
‎Oct 11 2022 12:37 PM
Updated by: