Microsoft 365
Is Microsoft 365 HIPAA Compliant?
What medical clinics must know about Microsoft 365 HIPAA compliance — including how to execute the BAA through the Microsoft Products and Services Agreement, which features must be configured, and why the BAA alone is not sufficient.
Short answer
Microsoft 365 can be HIPAA compliant, but it is not compliant out of the box. Microsoft offers a Business Associate Agreement through the Microsoft Products and Services Agreement (MPSA). Clinics must execute this BAA through the M365 admin portal, then configure a set of compliance features — audit logging, data loss prevention policies, retention policies, and multi-factor authentication — before using M365 for any PHI-bearing workflows. The BAA alone, without the configuration work, does not create a compliant environment.
Short answer
Is Microsoft 365 HIPAA compliant? It can be — but it is not compliant out of the box. Microsoft offers a Business Associate Agreement for M365 commercial plans, and many M365 services are covered under it. Clinics must actively execute the BAA and then configure a set of security and compliance features before PHI workflows can safely run in M365. A signed BAA with unconfigured defaults is not a compliant environment.
How to execute the Microsoft 365 BAA
Microsoft provides the BAA through the Microsoft Products and Services Agreement (MPSA). For most small clinic customers, the process runs through the Microsoft 365 admin center:
- Sign in to the Microsoft 365 admin center (admin.microsoft.com).
- Navigate to Settings > Org settings > Security & privacy.
- Locate the Business Associate Agreement section and review and accept the terms.
- Retain documentation of when the BAA was accepted.
Some larger organizations or those purchasing through Microsoft volume licensing channels may execute the BAA through a direct MPSA agreement. Confirm the process with your Microsoft account representative or reseller if you are not on a standard commercial plan.
The BAA must be executed before any PHI enters M365 workflows. It is not retroactive.
What must be configured after the BAA
Executing the BAA changes Microsoft’s contractual obligations. It does not configure your M365 environment for HIPAA compliance. After the BAA is in place, clinics must address each of these:
Audit logging: Enable audit logging in the Microsoft Purview compliance portal. Audit logs record user activity across M365 services and are required for HIPAA Security Rule compliance. Audit logs must be retained for a minimum period (HHS guidance suggests six years for HIPAA records generally; confirm with your compliance program’s retention policy).
Multi-factor authentication (MFA): MFA must be required for all accounts that access PHI-bearing systems. Enable MFA through Microsoft Entra (formerly Azure AD). Conditional access policies can enforce MFA requirements.
Data Loss Prevention (DLP) policies: Configure DLP policies in Microsoft Purview to detect and block sharing of PHI-type content — Social Security numbers, medical record numbers, and other sensitive data patterns. M365 includes built-in sensitive information types that cover many HIPAA-relevant data categories.
Retention policies: Implement retention policies appropriate for healthcare records. PHI must be retained for required periods and then securely deleted — not simply abandoned in archived mailboxes or old SharePoint sites.
External sharing restrictions: Review and restrict external sharing in SharePoint and OneDrive. By default, some M365 configurations allow files to be shared publicly via link. PHI must not be accessible via open sharing links or to unauthenticated users.
Email encryption: Enable Office Message Encryption (OME) or equivalent for emails containing PHI sent outside the organization. Plain email is not an appropriate channel for PHI without encryption controls.
Which M365 services are covered under the BAA
Under a properly executed BAA, these M365 services can be used for PHI workflows when configured appropriately:
- Exchange Online (email)
- Microsoft Teams (messaging, meetings)
- SharePoint Online (document storage)
- OneDrive for Business (file sync and storage)
- Microsoft Purview (compliance tools, including DLP and audit)
Services that fall outside M365’s core productivity suite — particularly third-party apps added through the Teams app store or external integrations — are not automatically covered by the M365 BAA. Each additional tool requires its own evaluation.
What the BAA does not do
Clinics that execute the M365 BAA and then treat their compliance obligation as fulfilled are exposed. The BAA covers Microsoft’s obligations. The clinic’s obligations under the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule remain entirely the clinic’s responsibility:
- Conducting and documenting a risk assessment
- Creating and maintaining written HIPAA policies
- Training workforce members and documenting that training
- Implementing physical safeguards (workstation security, device policies)
- Maintaining an incident response and breach notification plan
None of these are addressed by the M365 BAA. Many clinics use M365 as their primary productivity environment and assume that the vendor relationship covers their compliance program. It does not.
Compliance operations alongside M365
Managing the M365 compliance configuration — keeping DLP policies current, reviewing audit logs, enforcing MFA across new accounts — is ongoing administrative work. That technical configuration layer is separate from the operational compliance program work: risk assessments, training documentation, incident tracking, and policy management.
PHIGuard commercial baseline
PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current launch details.
Sources
- HIPAA/HITECH Act | Microsoft Trust Center
- HIPAA Overview | Microsoft Learn
- Business Associates | HHS