Is Microsoft 365 HIPAA Compliant? BAA, Requirements & Setup Guide

The common question—Is Microsoft 365 HIPAA Compliant?—has a nuanced answer: Microsoft 365 can support HIPAA obligations when you execute a Business Associate Agreement and configure the platform to safeguard Protected Health Information. Compliance is shared; Microsoft secures the cloud, while you implement controls, policies, and workforce practices.

This Requirements & Setup Guide walks you through choosing the right plans and putting essential safeguards in place. Follow each section to build a defensible configuration and document your decisions for audits and risk assessments.

Selecting Microsoft 365 Plans

Choose plans that include enterprise-grade security and compliance capabilities for PHI. Prioritize features that enable Conditional Access, Data Loss Prevention Policies, Office Message Encryption, Information Governance controls, and sufficient Audit Logging Retention.

What to look for

• Identity protection with multifactor authentication and Conditional Access in Microsoft Entra ID (formerly Azure AD).
• Data Loss Prevention Policies for Exchange Online, SharePoint Online, OneDrive, Teams, and endpoints.
• Office Message Encryption for secure email to internal and external recipients.
• Information Governance features: retention labels, records management, and eDiscovery.
• Unified audit logging with configurable Audit Logging Retention and alerting.
• Device management (for example, Intune) to enforce compliance on endpoints accessing PHI.

Practical licensing approach

• Baseline security: ensure MFA, Conditional Access, DLP, and OME are available for all users handling PHI.
• Advanced compliance: add capabilities that extend audit retention, auto-labeling, advanced eDiscovery, and insider risk for higher-risk workflows.
• Scope smartly: license only users that create, access, or process PHI to control cost while meeting requirements.

Document which services will store or process PHI, and verify those services are covered under your Business Associate Agreement before enabling them.

Signing a Business Associate Agreement

The Business Associate Agreement defines Microsoft’s obligations for safeguarding PHI within covered online services. You must accept the BAA in your tenant before storing PHI in Microsoft 365.

How to complete the BAA

• Confirm your organization’s status as a covered entity or business associate and designate an authorized signer.
• In your Microsoft 365 tenant, review and accept the HIPAA/HITECH BAA applicable to Microsoft Online Services.
• Verify that all intended workloads (email, files, chat, voice, etc.) are in scope under the BAA before enabling PHI in those services.
• Record the acceptance date, version, and signer. Store a copy in your compliance repository.
• Flow down obligations to subcontractors and third parties that will access PHI from Microsoft 365.

Work with legal counsel to ensure the BAA aligns with your policies, notices of privacy practices, and vendor management program.

Configuring Identity and Access Management

Identity is your front door for PHI. Enforce strong authentication, restrict risky sign-ins, and limit privileges to the minimum needed.

Core identity controls

• Require multifactor authentication for all accounts that access Protected Health Information.
• Implement Conditional Access policies: block legacy/basic authentication, require compliant or hybrid-joined devices, and restrict by sign-in risk and location.
• Use role-based access control and separate admin accounts from user accounts.
• Enable just-in-time elevation and approval workflows for privileged roles; review access regularly.
• Maintain at least two monitored emergency (“break-glass”) accounts protected by strong controls.

Session and device protections

• Apply session controls to limit persistent cookies, enforce reauthentication, and prevent download on unmanaged devices.
• Use device compliance policies to enforce encryption, OS health, and screen lock on endpoints accessing PHI.
• Require app protection policies on mobile devices to containerize corporate data and prevent cross-app data leaks.

Log and review sign-in events and access decisions. Tie exceptions to documented business needs with time-bound approvals.

Implementing Data Loss Prevention

Data Loss Prevention Policies help prevent accidental or unauthorized sharing of PHI across email, files, chat, and endpoints. Start with scoped policies, then expand as you validate accuracy.

Step-by-step

• Use built-in PHI sensitive information types and create a baseline DLP policy in test mode with user policy tips.
• Scope to Exchange, SharePoint, OneDrive, and Teams; extend to endpoint DLP for USB, clipboard, and print controls.
• Set clear actions: block, encrypt, or require business justification with incident reports to security or compliance.
• Minimize false positives with exact data match or keyword dictionaries for local codes and forms.
• Integrate DLP with sensitivity labels so higher-sensitivity content triggers stricter controls.
• Measure effectiveness with incident trends; iterate thresholds and exceptions for trusted workflows.

Educate users on what triggers DLP, how to remediate, and how to request policy exceptions with proper approvals.

Enabling Email Encryption

Office Message Encryption protects PHI in transit and at rest across email, including messages sent outside your organization. Pair it with labels and DLP for consistent enforcement.

Recommended configuration

• Enable message encryption and rights-protection services for your tenant.
• Create automatic rules that apply encryption when DLP detects PHI or when a sensitivity label requires it.
• Offer a manual “Encrypt” option in Outlook for edge cases and clinician discretion.
• Protect attachments with rights that restrict forwarding, downloading, and printing.
• Use expiration and revocation for time-bound sharing of PHI.

Provide patient-facing guidance on the external recipient experience so encrypted messages are not mistaken for phishing.

Applying Information Governance

Information Governance ensures PHI is retained for the right period and disposed of defensibly. Labels, retention policies, and records management create a lifecycle that aligns with legal and clinical needs.

Retention and records

• Define retention schedules for PHI by content type and jurisdiction; translate them into retention labels and policies.
• Auto-apply labels to PHI using sensitive info detection, trainable classifiers, or metadata conditions.
• Mark immutable records where required; prevent edits and deletion until the retention period ends.
• Use event-based retention for clinical events (for example, discharge or case closure) when applicable.
• Place content on legal hold for investigations without disrupting normal retention.

Review disposition reports and audit trails for defensibility. Keep your file plan current as regulations or clinical practices change.

Setting Up Audit Logging

Auditing proves who accessed PHI, what changed, and when. Turn on auditing broadly and keep logs long enough to support investigations and regulatory inquiries.

Essential steps

• Confirm unified audit logging is enabled for your tenant and workloads.
• Verify mailbox auditing for all users and high-value mailboxes; monitor non-owner access to PHI.
• Configure Audit Logging Retention to meet your risk profile; extend retention for privileged and high-risk activities.
• Create alert policies for unusual downloads, mass sharing, privilege changes, and failed sign-in spikes.
• Export logs to your SIEM for correlation with endpoint, network, and EHR events.
• Test audit completeness quarterly and document evidence for auditors.

Conclusion

Microsoft 365 can support HIPAA when you pair a signed Business Associate Agreement with disciplined configuration. Enforce identity controls, deploy DLP and Office Message Encryption, govern data with retention and records, and maintain strong auditing. Document everything, train your workforce, and review controls regularly.

FAQs.

What is a Business Associate Agreement in Microsoft 365?

A Business Associate Agreement is the contract under which Microsoft, as a business associate, agrees to safeguard PHI within covered Microsoft Online Services. You must accept the BAA in your tenant before placing PHI in those services, and you should retain the executed terms and acceptance details for your compliance records.

How does Microsoft 365 protect Protected Health Information?

Microsoft 365 provides encryption in transit and at rest, Conditional Access and MFA to control sign-ins, Data Loss Prevention Policies to prevent improper sharing, Office Message Encryption for secure email, Information Governance for retention and records, and comprehensive auditing. When these are configured and monitored, they help you protect Protected Health Information across mail, files, chat, and devices.

What configurations are required for HIPAA compliance in Microsoft 365?

At minimum: accept the BAA; enforce MFA and Conditional Access; disable legacy authentication; deploy DLP across Exchange, SharePoint, OneDrive, Teams, and endpoints; enable Office Message Encryption; classify and label PHI with retention policies; verify mailbox and unified audit logging with adequate Audit Logging Retention; and implement device compliance. Complement technology with procedures, training, and periodic risk assessments.

Is Microsoft responsible for customer data compliance?

Compliance is shared. Microsoft is responsible for securing the cloud infrastructure and providing compliant capabilities. You are responsible for configuring those capabilities, classifying and governing data, controlling access, monitoring and responding to incidents, managing vendors, and training users. Your policies and implementation determine whether your use of Microsoft 365 satisfies HIPAA.