Healthcare Information Security

Cloud News

UCHealth picks Office 365: The BAA effect on cloud security

By Patrick Ouellette

- We know the benefits of cloud computing for healthcare organizations – a subscription model can save an organization from the heavy costs of owning and maintaining its own servers. But there has been great cloud trepidation among these organizations until lately because of privacy and security fears. Regardless of whether they were unfounded or not – most data breaches to this point haven’t involved cloud computing – organizations were set in their ways because of the massive risk involved with handling protected health information (PHI).

But because big-time cloud service providers such as Google and Microsoft recently decided they were willing to sign business associate agreements (BAAs) with healthcare organizations to comply with HIPAA, some of this angst has begun to subside. For example, University of Colorado Health (UCHealth), a new healthcare system formed by Poudre Valley Health System, University of Colorado Hospital and Memorial Health System, announced yesterday that it had begun using Microsoft 365, Microsoft’s enterprise cloud subscription service.

The interesting aspect of the announcement isn’t that UCHealth picked Office 365, as they’re certainly not the first nor the last to do so. In fact, back in February, the Texas Department of Information Resources implemented Microsoft Office 365. Instead, it’s the fact that the BAA was one of the key talking points for Steve Hess, UCHealth CIO, as he discussed why UCHealth chose to use 365. “The healthcare industry is generally hesitant to use the cloud because of security and HIPAA concerns,” Hess said, according to the press release. “However, Microsoft’s strong commitment to data security, privacy and compliance with HIPAA standards, coupled with its willingness to sign a comprehensive Business Associate Agreement for Office 365, gave us the confidence we needed to overcome our cloud anxieties.”

Apparently UCHealth had looked at a few different product offerings, such as Google Apps, but chose Office 365 because it “supports HIPAA requirements beyond what other vendors provide.” It’s unclear what this statement means, as both Google and Microsoft are willing to sign BAAs. However, the main point is that with these big cloud providers being more agreeable to comply with HIPAA, providers have more reason to at least consider moving their data off-premise.

UCHealth migrated 17,000 mailboxes from three different healthcare organizations on multiple legacy email platforms into the singular Microsoft Office 365 environment. UCHealth stands save an estimated $13.9 million in overall costs throughout an 11-year period, according to the announcement.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...