HIPAA & BAA · Cloud infrastructure
Is Microsoft Azure HIPAA compliant?
Yes, with conditions. Microsoft's HIPAA BAA for Azure is included by default in the DPA for eligible customers, so no separate signature is needed, but PHI must be confined to HIPAA-eligible Azure services and properly configured and safeguarded.
Key facts
- BAA available: Yes — with a signed BAA
- What it takes: Included by default in the Microsoft Products and Services Data Protection Addendum (DPA) for eligible customers; no separate signature required. PHI limited to Microsoft-designated HIPAA-eligible Online Services.
- Official source: Microsoft Learn — Azure HIPAA Compliance Offering — https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-hipaa-us (verified 2026-06)
How to use Microsoft Azure in a HIPAA-compliant way
- Confirm your Azure agreement is an eligible commercial/enterprise offering under the Microsoft DPA.
- Download and retain the current Microsoft HIPAA BAA and DPA from the Service Trust Portal.
- Deploy PHI only in Azure services Microsoft designates as HIPAA-eligible in the Product Terms.
- Enforce encryption, IAM/RBAC, network controls, Azure Monitor/audit logging, and key management.
- Perform and document your HIPAA risk analysis and customer-side safeguards.
Important caveats
- Only HIPAA-eligible Online Services are covered; preview and non-eligible services are out of scope for PHI.
- Default inclusion of the BAA does not make the environment compliant — configuration and safeguards are your responsibility.
- Compliance is a shared responsibility with no HHS certification.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Microsoft Azure correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Microsoft Azure.
Frequently asked questions
Does Microsoft Azure sign a BAA?
Yes. Included by default in the Microsoft Products and Services Data Protection Addendum (DPA) for eligible customers; no separate signature required. PHI limited to Microsoft-designated HIPAA-eligible Online Services. A signed BAA is required before any PHI is involved.
Is Microsoft Azure HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Microsoft Azure offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Microsoft Azure with PHI?
Only HIPAA-eligible Online Services are covered; preview and non-eligible services are out of scope for PHI.