I've been asked to investigate moving part or all data processing off premises, and acting on a tip from twitter, I encountered what I think may be a show stopper. While it seems that Office is covered by MS on the HIPAA BAA, if you read to scope section at the very bottom of this document:
it seems that SQL Azure is exempt from the HIPAA BAA, which I think makes it a non-starter for HIPAA sensitive applications.
Am i reading this wrong?
Does this mean that HIPAA sensitive data must be maintained on premises or is it acceptable buy hosted database services from Amazon or Rackspace et al but not on SQL Azure?
Thanks for your help, as I am in the dark!