Is Microsoft Teams HIPAA Compliant for Medical Clinics?

Short answer

Microsoft Teams is covered under Microsoft’s HIPAA BAA for qualifying Microsoft 365 plans. The BAA is accepted through Microsoft’s Online Services Data Protection Addendum rather than a separate agreement. Teams personal accounts and the free version of Teams are not covered. The clinic must configure Teams admin settings for guest access, retention, and recording before using it for PHI-adjacent communication.

BAA coverage

Teams coverage flows from Microsoft’s Data Protection Addendum, which is incorporated into qualifying Microsoft 365 subscriptions. Teams is listed alongside Exchange Online, SharePoint Online, and OneDrive as covered services. To confirm coverage:

1. Review the current Microsoft Online Services Data Protection Addendum (available at aka.ms/DPA).
2. Verify that the clinic’s specific Microsoft 365 plan includes Teams as a covered online service.
3. Confirm that the admin has accepted the current version of the DPA through the Microsoft 365 Admin Center.

Teams for Healthcare

Microsoft offers Teams for Healthcare as a feature set within Microsoft 365 for enterprise and eligible healthcare-focused plans. It includes:

• Virtual appointments with queue management and wait room functionality
• Care plan templates and care coordination features within Teams channels
• Integration with Electronic Health Records (EHR) systems from select vendors

Teams for Healthcare does not change the HIPAA BAA status — it is still covered under the same DPA — but it adds functionality relevant to clinical workflows. Small clinics on standard Microsoft 365 plans do not automatically access Teams for Healthcare features.

Required admin configuration

BAA coverage does not make Teams safe by default. The admin must:

• Review guest access settings. Limit which external parties can be added to Teams channels and meetings. Any guest who receives PHI is potentially a business associate.
• Configure meeting recording policies. Decide which users can record meetings, where recordings are stored, and how long they are retained. Recordings containing PHI must be stored in a BAA-covered location with access controls.
• Enable audit logging. Teams activity logs must be retained for HIPAA access log requirements.
• Apply retention policies. Chat messages and channel content containing PHI must follow the clinic’s document retention schedule.
• Restrict third-party app installs. Teams allows a wide marketplace of third-party apps. Any app that accesses PHI-adjacent data must have its own BAA with the clinic.

Known risks and limitations

Even with a compliant configuration:

• Teams chat is informal and easy to misuse. Staff may share patient names, appointment details, or clinical questions in chat threads out of habit. Access controls limit who can see a channel, but they do not prevent staff from misidentifying recipients or including unnecessary detail.
• Teams notifications on mobile devices may display PHI in preview text if the device is not managed.
• External meeting participants who are patients do not have their own covered accounts. The BAA covers the service side; the patient experience is the clinic’s responsibility.

What to keep out of Teams even with a BAA

• Do not post patient-identifiable information in public-facing Team channels or channels with broad membership
• Do not use Teams to share records with parties who have not been assessed for business associate status
• Do not store recordings in personal OneDrive locations outside organizational controls

When Teams alone is not enough