HIPAA & BAA · Email & productivity
Is Microsoft 365 HIPAA compliant?
Yes, with conditions. Microsoft includes its HIPAA BAA by default in the DPA for eligible customers, so no separate document must be signed, but you must use only HIPAA-eligible services and configure and safeguard them yourself.
Key facts
- BAA available: Yes — with a signed BAA
- What it takes: Included by default in the Microsoft Products and Services Data Protection Addendum (DPA) for eligible commercial/enterprise customers; no separate signature required. Coverage applies only to Microsoft-designated HIPAA-eligible Online Services.
- Official source: Microsoft Learn — HIPAA/HITECH Compliance Offering — https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech (verified 2026-06)
How to use Microsoft 365 in a HIPAA-compliant way
- Confirm your subscription is a commercial/enterprise offering eligible under the Microsoft DPA terms.
- Download and retain the current Microsoft HIPAA BAA and DPA from the Service Trust Portal for your records.
- Limit PHI to Microsoft-designated HIPAA-eligible Online Services (e.g., Exchange Online, SharePoint Online, OneDrive, Teams).
- Enable encryption, MFA, conditional access, audit logging, and DLP across the tenant.
- Conduct your own HIPAA risk analysis and document policies and workforce training.
Important caveats
- The BAA covers only Online Services Microsoft lists as HIPAA-eligible in the Product Terms; some features and previews are out of scope.
- Default inclusion of the BAA does not make the tenant compliant — configuration and customer safeguards remain your responsibility.
- Free/consumer Microsoft accounts and non-eligible plans are not covered.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Microsoft 365 correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Microsoft 365.
Frequently asked questions
Does Microsoft 365 sign a BAA?
Yes. Included by default in the Microsoft Products and Services Data Protection Addendum (DPA) for eligible commercial/enterprise customers; no separate signature required. Coverage applies only to Microsoft-designated HIPAA-eligible Online Services. A signed BAA is required before any PHI is involved.
Is Microsoft 365 HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Microsoft 365 offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Microsoft 365 with PHI?
The BAA covers only Online Services Microsoft lists as HIPAA-eligible in the Product Terms; some features and previews are out of scope.
