Limited-time offer: LAUNCH50 gives 50% off forever. Auto-applied at checkout.See pricing

Microsoft Power Automate

Is Microsoft Power Automate HIPAA Compliant?

What clinics need to know about Power Automate's HIPAA BAA coverage, which connectors are HIPAA-eligible, and how to safely automate clinical workflows without creating PHI exposure.

Short answer

Power Automate is covered under the Microsoft Online Services Terms BAA, making it HIPAA-eligible for automating workflows that handle PHI. The critical constraint is connector coverage: a flow is only as HIPAA-compliant as every service it connects to. Connectors to non-covered third-party services — even if those services are otherwise useful — must not process PHI. Clinics using Power Automate for clinical automation must audit every connector in every flow that touches patient data.

Short answer

Power Automate is HIPAA-eligible. Microsoft covers it under the Online Services Terms BAA, the same agreement that covers qualifying Azure and Microsoft 365 services. The compliance question does not end there. A Power Automate flow is a chain of connected services — and the flow is only as HIPAA-compliant as the weakest connector in the chain. Clinics must audit every connector in every PHI-handling flow before the automation goes live.

BAA availability

Microsoft includes Power Automate in the scope of its Online Services Terms (OST) BAA. This is the same agreement that covers qualifying Azure services and Microsoft 365 products. If your clinic has a qualifying Microsoft agreement that incorporates the OST, Power Automate should be covered.

Confirm this with your Microsoft account representative or through the Microsoft Product Terms documentation. The specific products covered under the OST are enumerated in Microsoft’s compliance documentation, and the list can change as products are added or restructured.

Power Automate is part of the Microsoft Power Platform, which also includes Power Apps, Power BI, and Dataverse. Coverage for each product should be verified individually.

The connector problem

This is the central HIPAA compliance challenge with Power Automate: the platform is covered, but the connectors may not be.

Power Automate works by connecting to external services through connectors. When a flow handles PHI, every service that receives, processes, or stores that data becomes a downstream processor. If that downstream service is not covered by a BAA with the clinic, PHI is being sent to an uncovered third party.

First-party Microsoft connectors — SharePoint, Exchange Online, Outlook, Teams, Dataverse, and other Microsoft 365 and Azure services — are generally covered under the same OST BAA that covers Power Automate. Verify each one against the covered services list.

Third-party connectors — Salesforce, Slack, Dropbox, DocuSign, Google services, and the hundreds of other services available in the Power Automate connector library — are NOT covered by Microsoft’s BAA. Each is a separate vendor relationship requiring its own BAA assessment.

Premium and custom connectors — connectors marked as premium in Power Automate often connect to specialized external services. These carry the same third-party BAA requirement.

How to audit PHI flows

Clinical operations teams using Power Automate for any automation that touches patient data need a documented connector audit:

  1. Inventory all flows. Identify every active flow in your Power Automate environment.
  2. Flag PHI flows. Determine which flows receive, send, or transform any data that includes patient identifiers, health conditions, appointment information, or other PHI fields.
  3. List every connector in each PHI flow. For every trigger, action, and condition in a PHI flow, identify the external service it connects to.
  4. Assess BAA status for each connector’s service. For each external service: is there a signed BAA between the clinic and that vendor? Is the service HIPAA-eligible at all?
  5. Remediate non-covered connectors. For any connector connecting to a non-BAA-covered service, either obtain the BAA, reconfigure the flow to avoid sending PHI to that service, or retire the flow.

Document this audit. It is part of the risk assessment documentation HIPAA requires.

Access controls on flows

Power Automate’s collaboration features can create unintended access risks. By default, flows can be shared with colleagues, and shared flows include access to the connection credentials embedded in them. In a clinical context:

  • Restrict shared ownership of PHI flows to authorized staff only
  • Use service accounts with scoped credentials for flows that access PHI-containing systems
  • Review the Power Platform admin center for any flows that have been shared outside intended teams
  • Apply Data Loss Prevention (DLP) policies in the Power Platform admin center to restrict which connectors can be used in the clinical environment

Automation use cases clinics should evaluate carefully

Appointment confirmation and recall. Flows that pull patient appointment data from an EHR and send confirmation messages via email or SMS involve PHI. Every system in that chain must be covered.

Insurance verification. Flows that query payer systems with patient identifiers and write results back to a scheduling system handle PHI at every step. Assess each connector.

Clinical task assignment. Flows that create tasks based on clinical triggers — a new lab result, a pending referral — and route them to staff may carry PHI in the trigger payload.

Document routing. Flows that move patient documents between systems (form submissions, clinical records, consent forms) carry PHI in the document itself.

For each of these use cases, the automation logic itself may be sound. The compliance question is whether every external system involved has a BAA in place.

What PHIGuard handles alongside Power Automate

PHIGuard commercial baseline

PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current launch details.

Sources

FAQ

Questions clinics ask before using this software with PHI

Does the Microsoft 365 BAA cover Power Automate?

Power Automate is covered under the Microsoft Online Services Terms BAA, which is accepted through your Microsoft agreement. If your clinic has a qualifying Microsoft 365 or Azure enterprise agreement that incorporates the OST, Power Automate should fall within its scope. Confirm with your Microsoft account representative which products are explicitly named in your agreement.

What happens if a flow uses a non-covered connector to send PHI?

If a Power Automate flow sends PHI to a service that is not covered by a signed BAA, that is an unprotected disclosure of PHI — a potential HIPAA breach. The Microsoft BAA covers the Power Automate platform, not the third-party systems it connects to. Each external service in a flow is a separate BAA question.

Can we use the Salesforce connector for a PHI flow in Power Automate?

Only if you have a signed BAA with Salesforce and your Salesforce configuration is HIPAA-eligible. The fact that Power Automate is BAA-covered does not extend coverage to Salesforce or any other third-party connector. Both ends of the connection need BAA coverage.

Are Power Apps and Power BI covered under the same BAA as Power Automate?

Microsoft Power Platform products (Power Apps, Power Automate, Power BI, Dataverse) are generally covered under the Online Services Terms, but confirm the specific coverage with your Microsoft agreement. Do not assume all Power Platform products are uniformly covered.

Operational assurance

Turn vendor research into a system your clinic can actually run.

PHIGuard gives small clinics a BAA-ready operating layer, recurring compliance work, and a safer home for patient-adjacent tasks.

BAA included Legal baseline available on every plan.
Audit history Compliance actions stay reviewable later.
No card upfront Start evaluation before billing setup.
Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.