Is Microsoft Copilot HIPAA Compliant?
TLDR
It depends on which Copilot product you mean. Microsoft Copilot for Microsoft 365 (the enterprise add-on) can be HIPAA compliant when used within a Microsoft 365 tenant that has a Microsoft BAA in place. The free Copilot at copilot.microsoft.com and Copilot in Windows are not covered by any BAA and are not HIPAA compliant.
Short Answer
“Microsoft Copilot” refers to two different products with different compliance statuses. Microsoft Copilot for Microsoft 365 — the enterprise paid add-on — can be HIPAA compliant within a properly configured M365 tenant. The free consumer Copilot at copilot.microsoft.com is not covered by a BAA and is not compliant. The distinction matters because many staff use both without realizing they are different products.
The Two Products
Microsoft Copilot for Microsoft 365 is an enterprise AI add-on that integrates with Teams, Outlook, Word, Excel, and other M365 applications. It requires a qualifying M365 base plan (E3, E5, Business Standard, or Business Premium) plus the Copilot add-on license (~$30/user/month). Prompts and responses are processed within the organization’s M365 tenant — not sent to Microsoft’s consumer AI infrastructure.
Copilot.microsoft.com / Copilot in Windows is the free consumer product. It is available at no cost, requires only a Microsoft account (personal or work), and is not covered by the Microsoft Online Services DPA. It routes prompts through Microsoft’s consumer infrastructure.
How the BAA Works for M365 Copilot
Microsoft’s HIPAA BAA is embedded in the Microsoft Online Services Data Protection Addendum (DPA). When an organization subscribes to covered Microsoft Online Services — which includes Microsoft 365 at qualifying plans — the DPA applies automatically upon enrollment. There is no separate document to sign; your Microsoft 365 admin or licensing partner can confirm the DPA is in effect.
For Copilot for Microsoft 365 specifically, the DPA covers the service because prompts are processed within the M365 tenant boundary. Microsoft commits to the same data handling, breach notification, and security obligations that apply to the rest of the covered M365 services.
The Staff Behavior Gap
The compliance risk is not usually in IT configuration — it is in staff behavior. A clinic may have a properly licensed and configured M365 Copilot environment, but individual staff members may also have the free Copilot bookmarked in their browser or pinned in Windows. When someone uses the free Copilot to summarize a patient note or draft a referral letter, that prompt exits the enterprise boundary and the BAA does not apply.
This requires active policy enforcement: clear written guidance that staff may not use consumer AI tools for any PHI-adjacent task, and regular reminders during training. Technology controls alone — such as blocking copilot.microsoft.com at the network level — can help but are not a complete solution.
Limitations of Enterprise Copilot
A compliant Copilot deployment handles AI-assisted drafting and summarization within the M365 environment. It does not:
- Replace a dedicated HIPAA compliance management tool
- Provide task management with audit trails for PHI-adjacent workflows
- Enforce minimum-necessary access on the content it generates
- Log which PHI was referenced in which prompt for audit purposes
Compliance AI and compliance management are different things.
Who Should Use Copilot for Microsoft 365
Clinics already running Microsoft 365 at a qualifying plan tier, where IT has confirmed the DPA is in effect and the Copilot add-on is licensed, can use the tool for drafting, summarization, and productivity tasks within the M365 apps — provided staff training is in place.
Who Should Look Elsewhere
Clinics not already on qualifying M365 plans face a significant licensing cost to reach compliant Copilot use: an M365 Business Standard seat ($12.50/user/month) plus the Copilot add-on ($30/user/month) adds up to roughly $425/month for a 10-person clinic before any other software. For compliance-focused task management at a small clinic, PHIGuard ($20/month for up to 10 staff, $49/month for up to 25 staff, BAA included) is purpose-built for that problem at a fraction of the cost.
Like what you're reading?
Try PHIGuard free — no credit card required.
- Microsoft Online Services Data Protection Addendum (DPA)
- Microsoft's contractual commitment that functions as a HIPAA Business Associate Agreement for covered Microsoft Online Services, including Microsoft 365. It outlines Microsoft's obligations for handling customer data, breach notification, and security controls.
DEFINITION
- Microsoft Copilot for Microsoft 365
- An enterprise AI add-on license for Microsoft 365 that integrates AI capabilities into Teams, Outlook, Word, Excel, and other M365 apps. It processes prompts within the organization's M365 tenant — distinct from the free consumer Copilot products.
DEFINITION
Q&A
Is Microsoft Copilot HIPAA compliant?
Microsoft Copilot for Microsoft 365, when deployed within an M365 enterprise tenant covered by a Microsoft DPA (BAA), can be used in a HIPAA-compliant manner. The free consumer Copilot products — copilot.microsoft.com and Copilot in Windows — are not covered by any BAA and cannot be used to process PHI.
Q&A
What separates compliant from non-compliant Copilot use?
The key distinction is whether prompts are processed within the organization's Microsoft 365 tenant boundary under the Microsoft DPA. Enterprise Copilot for M365 keeps data in the tenant. Consumer Copilot routes prompts through Microsoft's consumer infrastructure, outside any enterprise BAA coverage.
Q&A
Can a small clinic afford compliant Microsoft Copilot use?
The cost stacks up quickly: a qualifying M365 plan (Business Standard at ~$12.50/user/month) plus the Copilot add-on (~$30/user/month) puts a 10-person clinic at roughly $425/month before any other software costs. Many small clinics find purpose-built HIPAA-compliant platforms more cost-effective than building compliance on top of enterprise Microsoft licensing.
Want to learn more?
Is the free Microsoft Copilot HIPAA compliant?
What Microsoft Copilot product can be HIPAA compliant?
What Microsoft 365 plan is required for compliant Copilot use?
Does using Copilot within Teams or Outlook make it HIPAA compliant?
How do I know if my organization has a Microsoft BAA?
Keep reading
Is Microsoft Teams HIPAA Compliant? What Medical Practices Need to Know
Microsoft Teams can be HIPAA compliant, but only with the right Microsoft 365 plan, a signed BAA, and careful configuration. Here's what small practices need to know before using it for anything involving PHI.
What Is a Business Associate Agreement (BAA)? HIPAA Explained
A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.
Best HIPAA Compliance Software for Small Medical Practices (2026)
We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.