Raising the bar for healthcare security: Dynamics 365 Contact Center achieves HITRUST certification (Meeting the gold standard of security, privacy, and compliance for healthcare data protection).
Real-time User Journey: Secure Healthcare Interaction
This journey illustrates how HITRUST certification provides a secure foundation for handling Protected Health Information (PHI) during a patient interaction:
- Patient Authentication: A patient calls their healthcare provider to discuss sensitive lab results. The system recognizes the caller and prompts for secure multi-factor authentication.
- Verified Environment: The call is routed via the HITRUST-certified cloud infrastructure. Every layer of the data path—from the voice stream to the database—is governed by the stringent security controls required by the certification.
- Secure Information Access: The agent opens the patient’s record. Dynamics 365 uses Role-Based Access Control (RBAC) to ensure the agent only sees the specific health data necessary to answer the inquiry.
- AI-Assisted Resolution: Copilot provides a summary of the patient’s history. Because the platform is certified, the provider can confidently use AI to process PHI without the risk of data leakage or non-compliance.
- Audit Logging: Every action the agent takes and every piece of data accessed is recorded in a tamper-proof audit log, meeting the “measurable” security requirements of the HITRUST framework.
- Patient Peace of Mind: The interaction concludes with the patient knowing their medical and personal data was handled with the highest level of industry-standard security.
Step-by-Step: How to Leverage This Security for Healthcare
HITRUST is a platform-level certification, meaning Microsoft has already done the heavy lifting of securing the infrastructure. To leverage this for your healthcare organization, follow these steps:
- Step 1: Verify Compliance Status
Visit the Microsoft Trust Center or the Service Trust Portal to download the HITRUST Letter of Certification for Dynamics 365 and the Microsoft Cloud for Healthcare.
- Step 2: Configure Business Associate Agreements (BAA)
Ensure your organization has a signed BAA with Microsoft. This is a prerequisite for handling HIPAA/PHI data on any Microsoft cloud service.
- Step 3: Enable Data Encryption
In the Power Platform Admin Center, verify that Customer-Managed Keys (CMK) are enabled if your specific compliance policy requires an extra layer of control over data encryption at rest.
- Step 4: Set Up Data Loss Prevention (DLP)
Configure DLP policies in the Microsoft Purview compliance portal to prevent sensitive medical identifiers (like SSNs or Patient IDs) from being shared via insecure channels (e.g., standard email or external chats).
- Step 5: Define Secure Agent Workspace
In Agent Experience Profiles, use “Field-level security” to mask sensitive health fields so they are only visible to authorized medical staff, not general support agents.
- Step 6: Conduct a Compliance Audit
Use the Compliance Manager within Microsoft Purview to track your organization’s specific implementation of HITRUST controls against the Dynamics 365 environment.
Infographic: The HITRUST Certification Advantage
| Feature | Standard HIPAA Compliance | HITRUST CSF Certification |
| Verification | Self-attestation (High Risk). | Third-party audited (Low Risk). |
| Scope | Focuses mostly on Privacy/Security. | Comprehensive: Covers HIPAA, NIST, ISO, and more. |
| AI Readiness | Often restricted for PHI. | AI-Native: Secured for Copilot and AI Agents. |
| Data Protection | Basic encryption. | Multi-layered: Includes advanced physical and logical security. |
| Trust Level | Variable. | The “Gold Standard” for healthcare and insurance. |
References
GM Dynamics & Agentic AI Consulting 