HIPAA-SPECIFIC CSP RIDER
Last Updated: July 2, 2026
HIPAA CLOUD SERVICES RIDER FOR MICROSOFT CSP
This HIPAA Rider applies when Customer uses Microsoft CSP Services to store, process, or transmit Protected Health Information (“PHI”).
ROLES AND RESPONSIBILITIES
Customer is the Covered Entity or Business Associate. Microsoft acts as a data processor under the Microsoft Data Protection Addendum. EZETECH acts solely as a technology reseller and administrator, not a custodian of PHI unless explicitly stated in a separate Business Associate Agreement.
NO IMPLIED HIPAA COMPLIANCE
Microsoft CSP Services are not inherently HIPAA compliant by default. Compliance depends on Customer configuration, licensing, policies, and operational controls. EZETECH does not guarantee HIPAA compliance outcomes.
CUSTOMER OBLIGATIONS
Customer is responsible for:
- Determining which data constitutes PHI
- Proper tenant configuration and security controls
- Enabling audit logging, retention, encryption, and access controls
- User training and access governance
- Executing a Microsoft BAA directly or through EZETECH if offered
SECURITY INCIDENTS
EZETECH is not responsible for breaches caused by Customer misconfiguration, user error, weak credentials, third-party integrations, or Microsoft platform vulnerabilities.
LIMITATION OF LIABILITY
EZETECH disclaims liability for HIPAA penalties, fines, corrective action plans, or regulatory enforcement arising from Customer use of Microsoft CSP Services.
