HIPAA-SPECIFIC CSP RIDER

Last Updated: July 2, 2026

HIPAA CLOUD SERVICES RIDER FOR MICROSOFT CSP

This HIPAA Rider applies when Customer uses Microsoft CSP Services to store, process, or transmit Protected Health Information (“PHI”).

ROLES AND RESPONSIBILITIES

Customer is the Covered Entity or Business Associate. Microsoft acts as a data processor under the Microsoft Data Protection Addendum. EZETECH acts solely as a technology reseller and administrator, not a custodian of PHI unless explicitly stated in a separate Business Associate Agreement.

NO IMPLIED HIPAA COMPLIANCE

Microsoft CSP Services are not inherently HIPAA compliant by default. Compliance depends on Customer configuration, licensing, policies, and operational controls. EZETECH does not guarantee HIPAA compliance outcomes.

CUSTOMER OBLIGATIONS

Customer is responsible for:

  • Determining which data constitutes PHI
  • Proper tenant configuration and security controls
  • Enabling audit logging, retention, encryption, and access controls
  • User training and access governance
  • Executing a Microsoft BAA directly or through EZETECH if offered

SECURITY INCIDENTS

EZETECH is not responsible for breaches caused by Customer misconfiguration, user error, weak credentials, third-party integrations, or Microsoft platform vulnerabilities.

LIMITATION OF LIABILITY

EZETECH disclaims liability for HIPAA penalties, fines, corrective action plans, or regulatory enforcement arising from Customer use of Microsoft CSP Services.