Is Outlook HIPAA Compliant for Medical Clinics?

Short answer

Outlook, operating through Microsoft Exchange Online as part of a qualifying Microsoft 365 plan, is covered under Microsoft’s HIPAA BAA terms. The BAA is accepted through Microsoft’s Online Services Terms rather than a separate agreement. Consumer Outlook.com and Hotmail accounts have no coverage and must never carry PHI. Even with enterprise coverage, the clinic must configure admin controls and treat email as a risk channel.

BAA availability

Microsoft handles its HIPAA BAA through the Online Services Data Protection Addendum (DPA), which is incorporated into the Microsoft Customer Agreement when a qualifying Microsoft 365 subscription is purchased. The clinic does not need to negotiate a custom BAA — it is accepted through the standard terms process. Qualifying plans include Microsoft 365 Business Basic, Business Standard, Business Premium, and Enterprise (E1, E3, E5) subscriptions. Consumer Microsoft accounts (Outlook.com, Hotmail, live.com) are never covered.

• The clinic’s admin should review the DPA and the covered services list to confirm which Microsoft 365 products are in scope.
• Not every Microsoft product is covered. The DPA specifies which “Online Services” fall under BAA terms.
• The admin must be aware of which Microsoft 365 features are in use and confirm each against the covered services list.

Exchange Online (the back-end service for Outlook) is covered under Microsoft’s standard enterprise terms for qualifying plans. The Microsoft Purview compliance features — including audit log retention, data loss prevention, and message encryption — must be configured by the admin; they are not active by default.

Required admin configuration

Microsoft’s HIPAA compliance documentation identifies several steps the admin must take:

• Enable audit logging. In the Microsoft 365 Compliance Center, enable unified audit logging. This captures user and admin activity and is required for HIPAA access log obligations.
• Configure message encryption. Microsoft Purview Message Encryption (OME) allows the clinic to require encryption on emails that may contain PHI. This is not on by default.
• Enable data loss prevention (DLP) policies. DLP policies in Microsoft Purview can detect PHI patterns in email and apply protective actions (block, warn, encrypt) before messages leave the organization.
• Set retention policies. Define how long email is retained and when it is destroyed, consistent with the clinic’s HIPAA retention policy.
• Enforce multi-factor authentication. All accounts with access to PHI-containing mailboxes must require MFA.

What is not covered by Microsoft’s BAA

Microsoft’s BAA does not cover:

• Consumer Microsoft accounts (Outlook.com, Hotmail, live.com)
• Microsoft Teams personal accounts
• Third-party Outlook add-ins that access mailbox data unless those vendors have their own BAAs with the clinic
• Microsoft Copilot for Microsoft 365 (AI features) — check current DPA coverage status before enabling

What to keep out of Outlook even with a BAA

A signed BAA does not eliminate the inherent risks of email as a PHI channel:

• Do not include PHI in email subject lines; subjects may appear in notification previews and are often less protected than message body
• Do not send unencrypted attachments containing patient records to recipients outside the organization
• Do not use shared or alias mailboxes for PHI-adjacent work without audit logging configured
• Do not use personal @outlook.com or @hotmail.com accounts for any patient-related communication

When Outlook is not enough