Microsoft: Cloud Storage Security Statements for FERPA, HIPAA, and PCI DSS


What are the security statements from Microsoft related to FERPA, HIPAA and PCI data?*


*The statements below are excerpts from full discussions of compliance explained on the Microsoft Compliance website.  Please follow the hyperlinked title above each topic to review Microsoft's full statement of compliance.  These are important considerations when deciding to store content in the cloud.


Microsoft and FERPA

"FERPA does not require or recognize audits or other certifications, so any academic institution that is subject to FERPA must assess for itself whether and how its use of a cloud service affects its ability to comply with FERPA requirements. In the Online Services Terms Data Protection Addendum (DPA), Microsoft agrees to be designated as a 'school official' with 'legitimate educational interests' in customer data as defined under FERPA. Customer data would include any student records provided through a school's use of Azure. When handling student education records, Microsoft agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) just as school officials do. Microsoft has published guidance documentation to assist Azure customers with satisfying their FERPA compliance requirements."

Microsoft Corporation (2022, April 19), Family Educational Rights and Privacy Act (FERPA), Retrieved from May 11, 2022.


Microsoft, HIPAA and the HITECH Act

"HIPAA regulations require that covered entities (defined under the Rules) enter into agreements with business associates to ensure that PHI is adequately protected. This agreement is called a Business Associate Agreement. Among other things, a Business Associate Agreement establishes the permitted and required uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. To support our customers compliance with HIPAA when utilizing Microsoft enterprise products and services, Microsoft will enter into Business Associate Agreements with its covered entity and business associate customers."

"There is currently no certification standard that is approved by the Department of Health and Human Services to demonstrate compliance with HIPAA or the HITECH Act by a business associate. However, Microsoft enables customers in their compliance with HIPAA and the HITECH Act and adheres to the Security Rule requirements of HIPAA in its capacity as a business associate. Moreover, Microsoft enters into Business Associate Agreements with its covered entity and business associate customers to support their compliance with HIPAA obligations."

Microsoft Corporation (2022, April 19), Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HITECH) Act, Retrieved from May 11, 2022.


Payment Card Industry (PCI) Data Security Standard (DSS)

"Microsoft completed an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). The auditors reviewed Microsoft Azure, Microsoft OneDrive for Business, and Microsoft SharePoint Online environments, which include validating the infrastructure, development, operations, management, support, and in-scope services. The PCI DSS designates four levels of compliance based on transaction volume. Azure, OneDrive for Business, and SharePoint Online are certified as compliant under PCI DSS version 3.2 at Service Provider Level 1 (the highest volume of transactions, more than 6 million a year)."

Microsoft Corporation (2022, April 19), Payment Card Industry (PCI) Data Security Standard (DSS), Retrieved from May 13, 2022.


Please submit your questions by email to IT Security Services.

Was this helpful?
0 reviews
Print Article


Article ID: 137949
Wed 5/11/22 1:50 PM
Mon 10/2/23 10:12 AM