SpecialisedUser storyConsultative playbook

Patient data is moving to the cloud and HIPAA mapping is not optional

A healthcare provider is moving clinical applications to Azure. The CIO needs every architectural pattern mapped to HIPAA controls before sign-off — encryption, access logging, PHI classification, and audit-defensible compliance attestation that survives a continuous audit.

Trigger: Cloud migration sign-off; HIPAA controls required.
Good outcome: Regulatory mapping baseline live, continuous compliance attestation, PHI classification end-to-end.

Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

·Clinical applications migrating to Azure
·BAA signed but operational controls partial
·HIPAA controls required for sign-off
·Continuous audit cycle expected
·Customer-managed keys requirement under review

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

1.Which patient data categories are migrating — PHI, demographics, claims, research?
WhyDifferent categories have different controls.
2.What's your HIPAA controls baseline today — fully implemented, partial, aspirational?
WhyBaseline drives gap analysis.
3.How are encryption keys managed today — Microsoft-managed or customer-managed?
WhyCustomer-managed keys often required for the regulated tier.
4.What's your access logging story for PHI?
WhyAudit-defensible logging is a HIPAA requirement.
5.Is the audit cycle annual or continuous?
WhyContinuous audit demands continuous attestation tooling.
6.Has Legal mapped HIPAA controls to specific Azure services and SKUs?
WhyIf yes, anchor on it. If no, the engagement starts there.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

BAA signed with Microsoft. HIPAA controls partially implemented. Encryption with Microsoft-managed keys. Access logging fragmented across services. Audit response reactive.

Typical concerns

·PHI access logging incomplete
·Customer-managed keys not in place for regulated tier
·No continuous compliance attestation
·Audit preparation manual
·Sensitivity classification of PHI inconsistent

Capability gaps

·PHI sensitivity labelling
·HIPAA compliance framework baseline
·PIM for clinical admin access
·Customer-managed HSM keys for regulated PHI
·Continuous attestation tooling

Target architecture

Purview Information Protection classifies PHI tenant-wide. Defender for Cloud HIPAA compliance framework baseline live with continuous attestation. Entra ID P2 + PIM for clinical admin access. Managed HSM holds customer-managed keys for the most regulated PHI workloads. Audit-defensible posture demonstrable on demand.

Key capabilities

PHI sensitivity classification
HIPAA compliance framework baseline
PIM for clinical admin access
Customer-managed HSM keys
Continuous compliance attestation

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

Decision 1.Key custodianship — Managed HSM vs standard Key Vault HSM
Managed HSM (FIPS 140-3 Level 3)
When it fitsAuditor demands Level 3; regulated PHI tier.
Trade-offsSignificantly higher cost per HSM.
Standard Key Vault HSM (Level 2)
When it fitsAuditor accepts Level 2.
Trade-offsMay not satisfy all regulators.
Default recommendationManaged HSM for the regulated tier; standard Key Vault for non-PHI workloads.
Decision 2.PHI access logging — Sentinel-routed vs Azure Monitor-only
Sentinel-routed
When it fitsActive SOC; PHI access alerts need SOC triage.
Trade-offsSentinel ingest cost.
Azure Monitor only
When it fitsNo SOC; logs for audit-only.
Trade-offsNo real-time response to suspicious access.
Default recommendationSentinel-routed for production PHI workloads.
Decision 3.Encryption scope — at-rest only vs include in-use (Confidential Computing)
At-rest + in-transit
When it fitsStandard HIPAA baseline.
Trade-offsSome regulators expect in-use too.
Add Confidential Computing for in-use
When it fitsMost sensitive PHI workloads; research with patient identifiers.
Trade-offsVM premium for Confidential Computing.
Default recommendationAt-rest + in-transit baseline; Confidential Computing for the most sensitive workloads selectively.

Low-risk trial — proof of value

60-day HIPAA baseline rollout

8 weeks

PHI sensitivity labels live tenant-wide. Defender for Cloud HIPAA framework enabled with continuous attestation. Entra ID P2 + PIM for clinical admin roles. Managed HSM provisioned for one regulated workload. First audit-readiness report produced.

Success criteria

PHI classification coverage above 80% on the trial scope
HIPAA control coverage measured and gaps identified
PIM live for all clinical admin roles
Managed HSM key custodianship demonstrated end-to-end for the trial workload

InvestmentPurview IP in M365 E5 or as add-on. Defender for Cloud paid CSPM. Entra P2 for clinical admins (~100 seats typical). Managed HSM ~€3.20/hour. Estimated ~€8–15k/month for trial scope.

Proof metrics

·HIPAA control coverage above 90%
·Audit-readiness report produced on demand
·PHI access alert quality measurable
·Customer-managed key custodianship audit-defensible

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

SKUMicrosoftSaaS

Microsoft Purview Information Protection

Data classification, labelling, and protection across Microsoft 365, endpoints, and integrated SaaS. The substrate that determines what Copilot surfaces, what DLP blocks, and what is encrypted at rest and in flight.

In: M365 E5, M365 E5 Compliance…

AI Productivity

Why for this story

PHI classification — sensitivity labels are the auditable proof of "we know what is PHI and what is not."

SKUMicrosoftSaaS

Microsoft Defender for Cloud

Cloud-native security posture management (CSPM) and workload protection (CWPP) across Azure, AWS, and GCP. The platform-team's continuous-assessment substrate — secure score, regulatory compliance dashboards, and per-workload threat protection in one product.

In: Azure consumption

Cloud Foundation

Why for this story

HIPAA compliance framework baseline + continuous attestation. The controls dashboard the audit references.

SKUMicrosoftSaaS

Microsoft Entra ID P2

Everything in Entra ID P1 plus risk-based Identity Protection, Privileged Identity Management (PIM), and access reviews at scale. The identity layer of a modern SOC — produces some of the most actionable detections in the Microsoft estate.

In: M365 E5, EMS E5

Security Operations

Why for this story

PIM for clinical admin access; Identity Protection for the most-attacked identity tier.

SKUMicrosoftAzure

Azure Key Vault Managed HSM

Single-tenant, FIPS 140-3 Level 3 hardware security module for organisations that need customer-controlled cryptographic keys with regulatory-grade hardware backing. The Azure-native answer for BYOK and HYOK scenarios in regulated industries.

In: Azure consumption

Cloud Foundation

Why for this story

FIPS 140-3 Level 3 customer-managed keys for the most regulated PHI workloads.

Back to Regulatory mapping

Patient data is moving to the cloud and HIPAA mapping is not optional

Signals this story fits

Questions to ask

Typical concerns

Capability gaps

Key capabilities

Enabling SKUs

Decision 1.Key custodianship — Managed HSM vs standard Key Vault HSM

Decision 2.PHI access logging — Sentinel-routed vs Azure Monitor-only

Decision 3.Encryption scope — at-rest only vs include in-use (Confidential Computing)

60-day HIPAA baseline rollout

Success criteria

Proof metrics

Recommended cards

Microsoft Purview Information Protection

Microsoft Defender for Cloud

Microsoft Entra ID P2

Azure Key Vault Managed HSM