Navigation
InfrastructureUpdated July 3, 2026

Azure Policy Implementation Guide

azuregovernancecomplianceterraformpolicieshipaasecurity

Azure Policy Implementation Guide

Automated governance and compliance enforcement for OHEMR Azure infrastructure, ensuring HIPAA compliance and Epic integration requirements.


๐ŸŽฏ Executive Summary

Azure Policy provides automated governance across OHEMR's healthcare infrastructure, enforcing security standards, compliance requirements, and operational best practices. This implementation currently covers 6 Azure subscriptions with policy coverage for CIS benchmarks, mandatory tagging, diagnostic settings, and healthcare-specific controls.

Quick Facts

MetricValueImpact
Subscriptions Covered6 Azure subscriptionsBroad policy coverage across OHEMR
Policy Initiatives8 comprehensive setsAutomated governance
Compliance FrameworksCIS Benchmark v2.0, HIPAAHealthcare regulatory alignment
Cost OptimizationBaseline tag enforcementResource traceability and patch governance

๐Ÿ“‹ Quick Reference

Azure Policy Components

ComponentPurposeOHEMR Implementation
Policy DefinitionSingle rule (if-then logic)Custom healthcare policies
Initiative (Policy Set)Grouped policy definitionsCIS Benchmark, Mandatory Tags
Policy AssignmentApplies policies to scopeSubscription-level enforcement

OHEMR Subscription Coverage

SubscriptionCIS BenchmarkMandatory TagsDiagnosticsZone Resilience
OHEMR-SUB-EPIC-PRO-001โœ…โœ…โœ…โœ…
OHEMR-SUB-EPIC-NPD-001โœ…โœ…โœ…โœ…
OHEMR-SUB-EPIC-TEST-001โœ…โœ…โœ…โœ…
OHEMR-SUB-EPIC-SHARED-001โœ…โœ…โœ…โœ…
OHEMR-SUB-CITRIX-SHARED-001โœ…โœ…โœ…โœ…
OHEMR-SUB-CONNECTIVITY-PRO-001โœ…โŒโœ…โœ…

๐Ÿฅ Healthcare Compliance Framework

HIPAA Technical Safeguards Enforcement

Azure Policy implementations map directly to HIPAA 164.312 technical safeguards:

Access Control (164.312(a)(1))

  • Network Security Groups: Flow log enforcement for audit trails
  • Private Endpoints: Storage account public access denial
  • Key Vault Access: RBAC permission model enforcement

Audit Controls (164.312(b))

  • Diagnostic Settings: Automated deployment to Event Hubs
  • Activity Monitoring: Security operations alert enforcement
  • SQL Auditing: Database audit configuration requirements

Integrity (164.312(c)(1))

  • SQL Transparent Data Encryption: Database encryption enforcement
  • Storage Account Security: Secure transfer and TLS version requirements
  • Key Management: Key Vault deletion protection and expiration policies

Transmission Security (164.312(e)(1))

  • Network Security: Virtual network rules and private link enforcement
  • Encryption in Transit: TLS 1.2+ requirements for all services
  • Secure Protocols: HTTPS enforcement for web applications

Epic Integration Compliance

Clinical Data Protection

epic_requirements:
  data_classification: "PHI handling with audit trails"
  access_control: "Role-based Epic UserWeb integration"
  audit_logging: "HL7 message transaction logging"
  encryption: "TLS 1.3 for MLLP transport"

Regulatory Alignment

  • SOX Controls: Financial data handling with segregation of duties
  • Clinical Workflow: Provider access patterns and audit requirements
  • Patient Privacy: PHI access controls and monitoring

๐Ÿ› ๏ธ Implementation Architecture

Terraform-Based Policy Deployment

graph TD
    A[Policy Definitions] --> B[Policy Sets/Initiatives]
    B --> C[Policy Assignments]
    C --> D[Subscription Scope]
    D --> E[Resource Evaluation]
    E --> F[Compliance Reporting]
    F --> G[Remediation Actions]

    H[Terraform Files] --> A
    I[Managed Identity] --> G
    J[Event Hub] --> F

Core Terraform Components

<details> <summary><strong>๐Ÿ“ Terraform File Structure (Click to expand)</strong></summary>
FilePurposeHealthcare Impact
CIS-Benchmark-Assignment2.0.tfCIS security baselineHIPAA technical safeguards
Configure_Diagnostic_settings.tfCentralized loggingAudit controls compliance
Configure_RSV_disable_publicnetwork.tfBackup securityData protection requirements
Mandatorytags_policy_set_def.tfBaseline tag governanceRequired Azure Policy tag enforcement
enforce_vm_updates.tfPatch managementSecurity update compliance
zone_resilience_policies.tfHigh availabilityBusiness continuity requirements
storageaccounts_policies.tfData securityPHI protection standards
remediation.tfAutomated fixesContinuous compliance
</details>

๐Ÿ”ง Policy Implementation Details

1. CIS Benchmark Assignment

Healthcare Purpose: Establishes security baseline aligned with HIPAA technical safeguards.

# Key Implementation Aspects
resource "azurerm_subscription_policy_assignment" "cis_benchmark" {
  name                 = "OHEMR-CIS-Benchmark-v2.0"
  policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/cis-benchmark"
  subscription_id      = var.subscription_id

  parameters = {
    effect = "AuditIfNotExists"  # Non-disruptive compliance monitoring
  }
}

Clinical Impact: Ensures healthcare workloads meet industry security standards without disrupting Epic integration.

2. Diagnostic Settings Enforcement

Healthcare Purpose: Automated audit trail creation for HIPAA compliance.

Key Components

  • Centralized Logging: All resource logs route to regional Event Hubs
  • Managed Identity: Automated deployment without manual intervention
  • Regional Coverage: EastUS, CentralUS, WestUS3 for disaster recovery

Epic Integration Benefits

  • HL7 Message Auditing: Complete transaction logging for Epic interfaces
  • Clinical Access Tracking: Provider authentication and data access patterns
  • Compliance Reporting: Automated audit trail generation for regulatory reviews

3. Recovery Services Vault Security

Healthcare Purpose: Protects clinical data backups with enterprise-grade security.

Security Enforcements

backup_requirements:
  storage_redundancy: "GeoRedundant" # Multi-region protection
  network_access: "Private endpoints only" # No public exposure
  zone_redundancy: "Required" # High availability

4. Mandatory Tagging Framework

Healthcare Purpose: Baseline resource governance, service traceability, and virtual machine patch orchestration.

Required Tags

<details> <summary><strong>๐Ÿท๏ธ OHEMR Tagging Schema (Click to expand)</strong></summary>
TagPurposeExampleCompliance Impact
aide-idAsset traceabilityAIDE_0085665Governance traceability
environmentLifecycle managementprd, test, devChange management
service-tierService criticalityp1, p2, p3Support prioritization
PatchScheduleUpdate managementZWW0D6H02Security maintenance
</details>

5. VM Update Management

Healthcare Purpose: Ensures clinical workstations and Epic servers maintain security patches.

Update Enforcement

  • Patch Schedule Tags: Automated categorization based on clinical impact
  • Azure Update Manager: Integration with maintenance windows
  • Epic Coordination: Scheduled during clinical downtime windows

๐Ÿ“Š Policy Coverage by Subscription

Production Environment (OHEMR-SUB-EPIC-PRO-001)

<details> <summary><strong>๐Ÿฅ Production Policy Summary (Click to expand)</strong></summary>
InitiativePoliciesEffectClinical Impact
CIS Benchmark41 security policiesAuditHIPAA technical safeguards
Azure Update Manager5 patch policiesDeploy/ModifyEpic server maintenance
Mandatory Tags3 governance tag references + 1 PatchSchedule policy definitionInherit/ModifyBaseline governance and patch scheduling
Zone Resilience6 availability policiesAuditBusiness continuity
Diagnostic Settings6 logging policiesDeployAudit trail compliance

Total Policies: 62 active policies ensuring comprehensive governance

</details>

Non-Production Environments

Test Environment (OHEMR-SUB-EPIC-TEST-001)

  • Purpose: Epic testing and clinical workflow validation
  • Policy Approach: Same security controls, relaxed availability requirements
  • Tagging: Required for test data lifecycle management

Development Environment (OHEMR-SUB-EPIC-NPD-001)

  • Purpose: Epic development and integration testing
  • Policy Approach: Full security enforcement, automated resource cleanup
  • Special Considerations: PHI surrogate data protection

๐Ÿ” Monitoring & Compliance

Compliance Dashboard

Azure Policy compliance can be monitored through:

  • Azure Policy Compliance Dashboard: Native Azure portal view of policy assignments and violations
  • Azure Resource Graph: Query-based compliance reporting across subscriptions
  • Log Analytics Workbooks: Custom dashboards for policy evaluation trends
  • Event Hub Integration: Real-time policy violation alerts and automated remediation triggers

Epic Integration Monitoring

Clinical Workflow Impact

  • Zero Epic downtime due to policy enforcement
  • 100% audit trail coverage for HL7 transactions
  • Real-time compliance for UserWeb authentication

๐Ÿšจ Troubleshooting Guide

Common Policy Issues

Problem: Resource deployment blocked by policy

Diagnosis: Check policy assignment scope and exemption requirements Resolution:

  1. Verify resource configuration against policy rules
  2. Request exemption if legitimate business need
  3. Update deployment templates to meet compliance

Problem: Diagnostic settings deployment failure

Diagnosis: Managed identity permissions or Event Hub connectivity Resolution:

  1. Validate managed identity role assignments
  2. Check Event Hub namespace accessibility
  3. Verify regional Event Hub availability

Problem: Tagging policy not applying to VMs

Diagnosis: Resource group inheritance or VM patch-tag policy configuration Resolution:

  1. Verify the resource group has aide-id, environment, and service-tier
  2. Confirm the VM receives or is corrected with PatchSchedule
  3. Validate the policy assignment scope

Escalation Procedures

Issue TypeContactResponse Time
Security Policy ViolationSecurity Team4 hours
Epic Integration ImpactClinical Systems Team2 hours
Compliance ConcernCompliance Office24 hours
Infrastructure PolicyPlatform Engineering8 hours

๐Ÿ”— Related Documentation

Architecture Decisions

Compliance Framework

Implementation References

Compliance Frameworks


๐Ÿ“ž Support & Contacts

Team Responsibilities

TeamScopeContact
Platform EngineeringPolicy implementation, Terraform[email protected]
Security ArchitecturePolicy rules, compliance[email protected]
Clinical SystemsEpic integration, workflow[email protected]
Compliance OfficeRegulatory requirements[email protected]

Emergency Contacts


๐Ÿ›ก๏ธ Governance Excellence: Comprehensive Azure Policy implementation ensuring healthcare compliance, security, and operational efficiency across OHEMR infrastructure.