Design best practices and considerations for Patient Service Center

These design best practices and considerations for configuring and extending Patient Service Center support the five pillars of Well-Architected for Microsoft Cloud for Healthcare.

Configuration

Reliability

Security and compliance

  • For a complete Patient service center scenario, the personas doing the setup and configuration require permissions across Microsoft Entra ID, Azure (landing zone subscription), Power Platform, and Microsoft Teams.
  • Ensure the right permissions are assigned before installing and enabling the Patient service center solution. If there's clear separation of concerns within the organization to carry out these tasks across Power Platform, Azure, and Microsoft Teams, ensure the required personas are involved and engaged.
  • Users accessing Patient Service Center, such as the service center representatives, need to be added to the security group in the Power Platform environments.
  • Create dedicated Microsoft Entra Groups to maintain access to the Healthcare applications such as Patient service center and map it towards the built-in Healthcare user roles in the Power Platform environments. Learn about groups and access rights in Microsoft Entra ID.
  • Create a Microsoft Entra group with users who should have access to the Azure Health Bot Service.
  • Use Microsoft Entra ID Privileged Identity Management to ensure no standing access to the Azure Health Bot service.
  • To register the Azure Health Bot resource provider, the user must at least be a Contributor for role-based access control (RBAC) on the landing zone subscriptions. Learn more with an overview of role-based access control in Microsoft Entra ID.
  • Integration between Healthcare Bot and Omnichannel requires a Microsoft Entra Application with read permissions to several Microsoft Graph APIs. Learn more with an overview of Microsoft Graph permissions.
  • For Omnichannel configuration and management, users, groups, and applications (for example, chat bots) should be mapped directly to the built-in Omnichannel security roles in the environment, such as administrator, agent, or supervisor.
  • For Patient access integration, ensure Power Page authentication is configured to your chosen identity provider.
  • For Patient access integration, restrict Power Page access by IP address to limit portal access.
  • Azure Health Bot is a multitenant service in Azure, where the infrastructure and runtime is managed by Microsoft and is HIPAA compliant alongside other certifications.
  • All communication (inbound and outbound) with the Health Bot service happens over HTTPS, ensuring data in transit is also always encrypted.
  • Azure Health Bot stores customer data in Azure storage and Azure Cosmos DB and is always encrypted at rest, where the encryption keys are managed by Microsoft. See more information at Azure AI Health Bot Overview.

Cost optimization

  • Use another data store such as Azure Data Lake and move only needed data to Dataverse. It can decrease the cost for high volumes of data. We recommend storing data in Dataverse for small organizations or organizations that have significant amounts of data in Dataverse for other applications already. Learn more about Azure Data Lake at Introduction to Azure Data Lake Storage Gen2.

Next step