HIPAA

Is Microsoft 365 HIPAA Compliant? 2026 BAA & Setup Guide

James Mitchell
James Mitchell
·Updated: April 25, 2026 · 10 min read
Is Microsoft 365 HIPAA Compliant? 2026 BAA & Setup Guide

Is Microsoft 365 HIPAA Compliant? Setup, BAA, and What's Covered (2026)

Is Microsoft 365 HIPAA compliant? Yes, but only on the right plan, with the BAA signed, and with a tight tenant configuration. Most clinics, hospitals, and healthcare startups using Outlook, Teams, OneDrive, and SharePoint touch PHI every day. The marketing version of "Microsoft 365 HIPAA" hides real conditions that most admins miss on the first pass.

This guide is the practical version. We cover when Microsoft 365 is HIPAA compliant, which tiers are eligible, how the Microsoft BAA works, which services are covered, and the configuration baseline to apply before a single PHI email gets sent.

The Short Answer

Yes, Microsoft 365 is HIPAA compliant on a qualifying business plan with the Microsoft BAA in place and the right tenant configuration. Personal and Family plans are not. Free Microsoft 365 web apps are not. A Business plan without a signed BAA is not, even if MFA is on for every user.

So is Microsoft 365 HIPAA compliant out of the box? No. You must sign the BAA, restrict usage to in-scope services, and configure HIPAA-aligned safeguards on top of the default tenant settings. About 67% of HIPAA breaches in 2024 traced back to misconfigured cloud tenants and email accounts, per HHS OCR breach reports. Default settings are the risk.

✅ Key Takeaway
Microsoft 365 is HIPAA capable, not HIPAA compliant by default. Compliance needs an eligible commercial plan, a signed BAA, in-scope service usage, and a hardened tenant configuration applied before users handle PHI.

Which Microsoft 365 Plans Are HIPAA Compliant?

Microsoft only offers a BAA for its commercial cloud services. Consumer subscriptions are off the table. The plans eligible for the HIPAA BAA in 2026 are the standard business and enterprise tiers, plus the dedicated frontline and government clouds. Most small clinics start at Business Standard, around $12.50 per user per month, while clinical SaaS startups pick Business Premium at roughly $22 per user per month for the added compliance tooling.

| Plan family | HIPAA BAA available | Notes | |-------------|---------------------|-------| | Microsoft 365 Business Basic, Standard, Premium | Yes | Most small clinics and SaaS startups | | Microsoft 365 Apps for Business | Yes | Desktop apps + OneDrive, no Exchange | | Microsoft 365 Enterprise E1, E3, E5 | Yes | Mid-market and larger organizations | | Microsoft 365 F1, F3 (Frontline) | Yes | For shift workers, kiosks, lower licensing cost | | Office 365 GCC, GCC High, DoD | Yes | Government cloud, FedRAMP High and DoD IL5 | | Microsoft 365 Personal, Family | No | Consumer plans, no BAA | | Microsoft 365 Education A1, A3, A5 | Yes | Eligible when used by HIPAA-covered education entities |

If your small practice holds any consumer license that touches PHI, you are out of compliance the moment that mailbox or OneDrive folder receives protected information. The fix is simple. Migrate the user to a commercial tier. Reissue credentials. Then ask "is Microsoft 365 HIPAA compliant for this user now?" and validate every safeguard before reopening access.

How the Microsoft HIPAA BAA Works

Illustration related to How the Microsoft HIPAA BAA Works
Photo by Negative Space

Microsoft publishes a standard HIPAA Business Associate Agreement that covers all eligible Microsoft 365 customers worldwide. You do not need to negotiate terms or sign a custom contract. The BAA is offered through the Service Trust Portal and is automatically incorporated into your Online Services Terms once accepted.

Microsoft accepts BAA obligations for all in-scope services in the agreement, which means it will:

  • Implement administrative, physical, and technical safeguards aligned with the HIPAA Security Rule.
  • Report breaches of unsecured PHI within agreed timelines.
  • Subject itself to HIPAA enforcement audits where applicable.
  • Use PHI only as permitted under HIPAA and the BAA.

Read the full Microsoft Trust Center documentation on HIPAA and Microsoft cloud services to confirm current scope. The BAA does not move responsibility off the customer. You remain responsible for user behavior, configuration, and the lawful use of PHI inside your tenant.

⚠ Warning
A signed Microsoft BAA does not make a misconfigured Microsoft 365 tenant HIPAA compliant. It only makes Microsoft a contractually accountable business associate. Your covered entity remains liable for tenant configuration, user training, access controls, and breach response.

Which Microsoft 365 Services Are HIPAA Covered?

Microsoft maintains a list of in-scope services for the HIPAA BAA. Most flagship products are included, but a meaningful number of preview features and some integrated services are not. As of 2026, the BAA-covered services include:

  • Exchange Online (mailboxes, calendars, contacts).
  • SharePoint Online and OneDrive for Business.
  • Microsoft Teams (chat, meetings, calling).
  • Microsoft Defender for Office 365.
  • Microsoft Purview (compliance and data governance).
  • Microsoft Intune (endpoint management).
  • Microsoft Loop, Lists, Forms, Planner.
  • Word, Excel, PowerPoint, OneNote (online and desktop).
  • Power Automate, Power Apps, Power BI Pro.
  • Yammer Enterprise.

Some Microsoft cloud services are not included by default and should be excluded from any workflow that touches PHI. Common exclusions include third-party connectors that route data outside the tenant, optional preview features marked as such in the Microsoft documentation, and certain non-Microsoft applications surfaced inside Teams. Always confirm scope inside the Service Trust Portal before allowing PHI to flow through a feature.

How to Configure Microsoft 365 for HIPAA Compliance

Signing the BAA is the first step, not the finish line. Without specific configuration, a default Microsoft 365 tenant will fail a HIPAA audit. Use the following baseline as a starting checklist for 2026.

1. Lock Down Identity and Authentication

  • Enforce multi-factor authentication for every user, not just admins.
  • Disable legacy authentication protocols (SMTP AUTH, IMAP, POP3) at the tenant level.
  • Require number matching for Authenticator app push approvals.
  • Use Conditional Access to restrict sign-in by device compliance, location, and risk.
  • Enable self-service password reset only with strong identity verification.

2. Encrypt PHI in Transit and at Rest

Microsoft 365 encrypts data at rest by default and TLS 1.2 or higher for in-transit traffic. Healthcare organizations should add:

  • Microsoft Purview Message Encryption for emails containing PHI.
  • Sensitivity labels with mandatory encryption for documents marked PHI.
  • Customer Key for tenants with regulatory or contractual encryption sovereignty needs.

3. Apply Information Protection and DLP

  • Configure Microsoft Purview Data Loss Prevention policies that detect HIPAA-covered identifiers (medical record numbers, ICD codes, US Social Security numbers, dates of birth).
  • Apply sensitivity labels (Confidential - PHI, Highly Confidential - PHI) with auto-labeling rules.
  • Block external sharing of files labeled PHI unless explicitly approved through a controlled workflow.
  • Enable Endpoint DLP to prevent users from copying PHI to USB drives or unmanaged cloud storage.

4. Enable Audit Logging and Retention

  • Turn on unified audit log search and retain logs for at least six years to match the HIPAA documentation requirement.
  • Enable mailbox audit logging by default.
  • Configure SharePoint and OneDrive audit retention policies.
  • Forward critical audit events to a SIEM or Microsoft Sentinel for tamper-evident retention.

5. Restrict Access by Role

  • Apply least privilege using built-in admin roles (Global Reader instead of Global Admin where possible).
  • Use Privileged Identity Management for time-bound elevation.
  • Review and remove guest accounts that no longer need access to PHI workspaces.
  • Set automatic SharePoint site review and ownership confirmation.

6. Configure Microsoft Teams for Healthcare

  • Disable anonymous join for meetings that may include PHI.
  • Enable lobby for external participants.
  • Restrict guest access at the team and channel level.
  • Apply retention policies to chat, channel messages, and meeting recordings.
  • Use sensitivity labels at the team level to govern membership and sharing.

7. Manage Endpoints and Mobile Access

  • Enroll devices in Microsoft Intune and require compliance for tenant access.
  • Apply mobile application protection policies (require PIN, prevent copy-paste to unmanaged apps, require encryption).
  • Use Conditional Access to block PHI access from non-compliant or jailbroken devices.
  • Wipe corporate data automatically on lost or compromised devices.

Common HIPAA Violations Inside Microsoft 365

Illustration related to Common HIPAA Violations Inside Microsoft 365
Photo by Pavel Danilyuk

Audits and OCR investigations consistently find the same handful of failures inside Microsoft 365 tenants. Avoid these and you remove the most common breach vectors.

| Mistake | Risk | Fix | |---------|------|-----| | Personal account used for work email | Unprotected PHI outside tenant | Block personal accounts via CA, issue commercial license | | External sharing turned on by default for OneDrive | Anonymous links exposing PHI | Restrict sharing to internal or specific people only | | Auto-forwarding to external domains enabled | PHI exfiltrated by phishing or insider | Block external auto-forwarding tenant-wide | | No DLP for HIPAA identifiers | PHI shared by accident, no detection | Enable Purview DLP with HIPAA template | | Default Teams meeting policy allows anonymous join | Unauthorized listeners on PHI calls | Disable anonymous join, enforce lobby | | Guest access not reviewed | Old contractors retain SharePoint PHI access | Quarterly access reviews via Entra ID | | Mobile devices allowed without Intune | Unmanaged endpoints holding PHI | Enforce device compliance via CA | | No mailbox encryption for outbound PHI | PHI traveling unencrypted to recipients | Apply Purview Message Encryption rules |

For the full risk picture, follow our broader HIPAA security rule safeguards checklist and the HIPAA risk assessment guide.

Microsoft 365 vs Other HIPAA-Capable Productivity Suites

Microsoft 365 is one of three productivity suites that consistently appear on shortlists for HIPAA-bound organizations. The choice usually comes down to existing infrastructure, administrative depth, and budget tolerance.

| Suite | HIPAA BAA | Strength | Watch out | |-------|-----------|----------|-----------| | Microsoft 365 (Business or Enterprise) | Yes | Deep admin and compliance tooling, hybrid environments | Configuration complexity, license cost at scale | | Google Workspace (Business or Enterprise) | Yes | Faster to deploy, simpler admin | Fewer compliance features at lower tiers | | Zoho Workplace (Premier or Workplace) | Yes | Lowest cost, basic feature set | Smaller ecosystem, fewer integrations |

If you are mid-evaluation, see our companion piece on is Google Workspace HIPAA compliant for a side-by-side view of how the two suites differ on BAA scope and configuration overhead.

What the BAA Does Not Cover

Healthcare organizations frequently mistake the Microsoft BAA for blanket protection. It is not. The BAA explicitly excludes:

  • Third-party apps installed from AppSource that are not Microsoft-published.
  • Personal Microsoft accounts used to sign in to commercial tenants.
  • Skype Consumer (distinct from Teams).
  • LinkedIn integrations even when surfaced inside Microsoft 365.
  • Some preview and public beta features.

If a workflow touches any of these, treat it as out of scope and either rebuild it inside covered services or sign a separate BAA with the third-party vendor. Always confirm the current covered services list inside the Microsoft Trust Center.

How to Sign the Microsoft 365 BAA

Microsoft no longer requires a separate signature flow for most commercial tenants. The HIPAA BAA is incorporated into the Online Services Terms once your organization confirms it. The standard path:

  1. Sign in to the Microsoft Service Trust Portal as a Global Administrator
  2. Open the HIPAA documentation library
  3. Review the current BAA terms
  4. Acknowledge acceptance through the documented flow (now bundled into the Online Services Terms acceptance for new tenants)
  5. Save a copy of the BAA acknowledgement to your compliance documentation

For organizations on legacy Enterprise Agreements, contact your Microsoft account representative to confirm whether the BAA is included or requires a separate amendment.

Frequently Asked Questions

Is Microsoft 365 HIPAA compliant by default?

No. Microsoft 365 is HIPAA capable, but compliance requires an eligible commercial plan, a signed BAA, and configuration of identity, encryption, DLP, audit logging, and device controls aligned with the HIPAA Security Rule.

Is Microsoft 365 Business Basic enough for HIPAA?

Yes, if it is licensed under a commercial agreement and the BAA is in place. Business Basic includes Exchange Online, OneDrive, SharePoint, and Teams under the BAA. Larger organizations typically prefer E3 or E5 for stronger compliance tooling.

Does the Microsoft BAA cover Outlook on the desktop?

Yes. Outlook is part of the Microsoft 365 Apps included in eligible plans. The BAA covers PHI processed through Outlook when connected to a covered Exchange Online mailbox.

Is Microsoft Teams HIPAA compliant?

Yes, when the tenant is on an eligible plan with the BAA, anonymous join is restricted, lobby is enforced, sensitivity labels apply to PHI workspaces, and recordings are governed by retention policies.

Can a healthcare startup use Microsoft 365 Personal for clinical work?

No. Personal and Family plans are consumer SKUs and are not eligible for the HIPAA BAA. Migrate users to a commercial tier before any PHI flows through their accounts.

Does Microsoft 365 cover HIPAA's documentation retention requirement?

Microsoft 365 supports the technical retention requirement, but you must configure it. Set audit log retention, mailbox retention, and SharePoint retention policies to at least six years and document the configuration in your HIPAA policies.

Does Microsoft sign a BAA for free?

Yes, the Microsoft HIPAA BAA is offered at no additional charge to eligible commercial customers.

Final Word

So is Microsoft 365 HIPAA compliant in the real world? It can be. It is one of the most widely deployed HIPAA-capable stacks. But capability is not compliance. The default tenant a reseller hands you is not HIPAA compliant. The configuration, the BAA, and the user training you bolt on top is what makes Microsoft 365 HIPAA compliant. Treat it as an in-scope cloud service. Configure it like one. Document the outcome. That is what an OCR investigation will look at if a breach lands on your desk.

If you are an SMB or healthcare startup in early scoping, start with our HIPAA compliance for SaaS startups guide and the HIPAA business associate agreement checklist before finalizing the tenant build. Small practices running multiple cloud tools should also review the HIPAA security rule safeguards and pair the Microsoft 365 build with documented HIPAA training requirements.

HIPAAMicrosoft 365Office 365BAAHealthcare
James Mitchell
James Mitchell
Author
James Mitchell covers topics in this category and related fields. Views expressed are editorial and based on research and experience.
Related Articles
Is Google Workspace HIPAA Compliant? 2026 BAA & Setup
HIPAA
Is Google Workspace HIPAA Compliant? 2026 BAA & Setup
April 25, 2026 · 9 min read
 What Counts as a HIPAA Breach? 2026 Rules & Penalties
HIPAA
What Counts as a HIPAA Breach? 2026 Rules & Penalties
April 24, 2026 · 13 min read
 HIPAA Business Associate Agreement (BAA): 2026 Guide
HIPAA
HIPAA Business Associate Agreement (BAA): 2026 Guide
April 21, 2026 · 11 min read
 HIPAA for Startups: Minimum Viable Compliance
HIPAA
HIPAA for Startups: Minimum Viable Compliance
April 19, 2026 · 9 min read