HIPAA & BAA ยท Forms
Is Microsoft Forms HIPAA compliant?
Conditionally. Microsoft Forms has no separate BAA; it is covered as an in-scope service under Microsoft's 365 BAA (offered through the DPA) for eligible commercial customers.
Key facts
- BAA available: Conditionally โ on specific plans
- What it takes: Eligible Microsoft 365 commercial plan; BAA via the Microsoft Online Services Data Protection Addendum (Forms is an in-scope service)
- Official source: Microsoft Learn: HIPAA & HITECH Act compliance offering โ https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech (verified 2026-06)
How to use Microsoft Forms in a HIPAA-compliant way
- Subscribe to an eligible Microsoft 365 commercial (Business/Enterprise) plan.
- Rely on the Microsoft BAA included by default via the Online Services Data Protection Addendum for HIPAA covered entities/business associates.
- Confirm Microsoft Forms is in the HIPAA in-scope services list.
- Configure access controls, audit logging, retention, and MFA in the M365 admin/compliance center.
- Restrict form creation and PHI access to authorized staff.
Important caveats
- No standalone Microsoft Forms BAA exists; coverage is only within the M365 BAA/DPA.
- Free/consumer Microsoft accounts are not covered.
- BAA coverage does not make Forms compliant by itself; configuration is your responsibility.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Microsoft Forms correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Microsoft Forms.
Frequently asked questions
Does Microsoft Forms sign a BAA?
On specific plans. Eligible Microsoft 365 commercial plan; BAA via the Microsoft Online Services Data Protection Addendum (Forms is an in-scope service) A signed BAA is required before any PHI is involved.
Is Microsoft Forms HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Microsoft Forms offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Microsoft Forms with PHI?
No standalone Microsoft Forms BAA exists; coverage is only within the M365 BAA/DPA.
