0

My requirement is to use Patient ID (PHI) in Storage Blob object key.

Example - "/storagename/Z360A1109/report.html" where "Z360A1109' is Paient ID.

If I query this object WITHOUT VNet Service Endpoint for Blob Storage enabled, then its a clear violation and my Patient ID can be intercepted over the internet.

But, WITH VNet Service Endpoint enabled for Blob Storage, where the traffic is routed over Microsoft Backbone Network. Can we use it without violating HIPAA regulations? And does BAA covers this?

dilzfiesta
  • 55
  • 5
  • Could you please provide more details? What are you referring to in terms of "Blob Object key" ? also, Is the data located in a database or Blob "/storagename/Z360A1109/report.html" where "Z360A1109' is Paient ID.storage ? " How are you performing this action, are using a specific SDK ? In terms of Hipaa, Azure cloud is certified: details can be found here:https://www.microsoft.com/en-us/trustcenter/compliance/hipaa – Adam Smith - Microsoft Azure Feb 20 '19 at 18:33
  • Patient's demographics like age, gender, medications etc. are present in report.html, inside Storage Blob at below location. We can access this data using SDK or Storage Explorer. https://company.blob.core.windows.net/container/patients/Z360A1109/report.html The data inside report.html is encrypted at-rest and while in-transit, but patient ID is clearly visible in the above URL which is a violation of HIPAA regulations. Now if we use VNET Service Endpoint for Storage Blob and access this URL using SDK from within the VNET, is it still considered a violation? – dilzfiesta Feb 21 '19 at 07:04

0 Answers0