HIPAA & BAA · AI / LLM
Is Microsoft 365 Copilot HIPAA compliant?
Conditionally. Microsoft 365 Copilot (commercial/enterprise) is in scope under Microsoft's HIPAA BAA via the Online Services Data Protection Addendum; consumer Copilot is not covered.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Commercial/enterprise M365 with Microsoft BAA (DPA/Online Services); consumer plans excluded
- Official source: Microsoft Learn — Enterprise data protection in Microsoft 365 Copilot — https://learn.microsoft.com/en-us/microsoft-365/copilot/enterprise-data-protection (verified 2026-06)
How to use Microsoft 365 Copilot in a HIPAA-compliant way
- Be a covered entity/business associate on a commercial/enterprise Microsoft 365 tenant.
- Have Microsoft's HIPAA BAA in place via the Online Services / Products Data Protection Addendum.
- License Microsoft 365 Copilot on an eligible enterprise plan (e.g., E3/E5/Business Premium-class).
- Configure Purview, DLP, sensitivity labels, and audit logging for PHI governance.
- Disable or avoid PHI in web-search-grounded responses, which are excluded from the BAA.
Important caveats
- Copilot in Microsoft 365 Family/Personal/Premium is a consumer offering NOT covered by the enterprise BAA.
- Web search queries within Copilot are not covered by the DPA/BAA.
- BAA coverage is platform-level only; compliant deployment requires E3/E5/Business Premium-class controls.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Microsoft 365 Copilot correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Microsoft 365 Copilot.
Frequently asked questions
Does Microsoft 365 Copilot sign a BAA?
On specific plans. Commercial/enterprise M365 with Microsoft BAA (DPA/Online Services); consumer plans excluded A signed BAA is required before any PHI is involved.
Is Microsoft 365 Copilot HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Microsoft 365 Copilot offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Microsoft 365 Copilot with PHI?
Copilot in Microsoft 365 Family/Personal/Premium is a consumer offering NOT covered by the enterprise BAA.
