Is Microsoft Azure HIPAA Compliant? BAA, Covered Services, and What You Must Do

You can use Microsoft Azure to handle Protected Health Information (PHI) in a HIPAA-aligned way, but compliance is never automatic. It depends on signing a Business Associate Agreement, choosing only in-scope services, and implementing the HIPAA Security Rule’s safeguards across people, processes, and technology.

This guide explains how HIPAA works in Azure, what the BAA covers, which services are typically in scope, and the exact operational steps you must take—from Access Controls and Encryption Requirements to Monitoring and Auditing.

HIPAA Compliance in Azure

HIPAA is a risk-based program, not a product feature

HIPAA defines administrative, physical, and technical safeguards you must implement to protect ePHI. Azure provides security capabilities and compliance attestations, but your organization remains responsible for configuring, monitoring, and documenting controls that satisfy the HIPAA Security Rule.

Shared responsibility for ePHI

Microsoft manages security of the cloud (data center, physical hosts, core platform). You configure security in the cloud (identity, network isolation, encryption, logging, backups, and incident response). Compliance success requires clear division of duties, documented procedures, and continuous verification.

Minimum necessary and data lifecycle

Design for least privilege and the minimum necessary use of PHI. Classify data, restrict access paths, protect data at rest and in transit, and define retention, deletion, and recovery processes—all captured in your Regulatory Compliance Documentation.

Business Associate Agreement (BAA) Overview

What the BAA is

The Business Associate Agreement is a contractual commitment under which Microsoft, as a business associate, supports HIPAA obligations for designated Azure services. It permits you to process ePHI on those covered services when you also meet your own compliance duties.

What the BAA is not

The BAA does not make every Azure service suitable for PHI, and it does not guarantee compliance. It applies only to services listed as covered and only when you configure and operate them according to HIPAA requirements and the terms of the agreement.

How you obtain and use the BAA

Ensure your organization has an executed BAA with Microsoft before placing PHI in Azure. Train administrators on the BAA’s scope and ensure procurement and engineering teams use only covered services when handling PHI.

Covered Azure Services Under BAA

Understand “covered” scope

Azure maintains a catalog of services that are in scope for its HIPAA BAA. The catalog evolves, and preview/beta features are typically excluded. Always verify current coverage before enabling a service for PHI.

Common categories frequently in scope

• Core compute and container platforms used for clinical apps when hardened and patched.
• Data storage and databases supporting encryption at rest, role-based access, and audit logging.
• Networking capabilities that enable private connectivity, segmentation, and traffic inspection.
• Security and key management tools for secrets, keys, certificates, and policy enforcement.
• Monitoring and security posture services that provide continuous assessment and alerting.

Coverage checklist

• Confirm the service and specific features are designated as covered under the BAA.
• Confirm regional availability, data residency, and disaster recovery behavior for PHI.
• Validate logging, encryption, and identity integrations meet your control requirements.

Customer Responsibilities for Compliance

Governance, risk, and documentation

• Perform a HIPAA risk analysis and maintain a risk management plan mapped to the HIPAA Security Rule.
• Publish policies for access, change control, incident response, vendor management, and data lifecycle.
• Maintain Regulatory Compliance Documentation evidencing control design, operation, and testing.

Access Controls

• Use Microsoft Entra ID (formerly Azure AD) with MFA, Conditional Access, and least-privilege RBAC.
• Apply Privileged Identity Management for just-in-time elevation and require approval and justification.
• Run periodic access reviews; enforce break-glass procedures and session timeouts for sensitive roles.

Encryption Requirements

• Encrypt PHI at rest with platform encryption; use customer-managed keys in Azure Key Vault or HSM where appropriate.
• Enforce TLS for data in transit, disable legacy protocols, and pin to strong cipher suites.
• Use database features like TDE and, where needed, Always Encrypted for highly sensitive fields.

Monitoring and Auditing

• Enable centralized logging (control plane, data plane, OS, and application logs) with immutable retention.
• Implement threat detection, vulnerability assessment, and alert triage workflows.
• Regularly review audit trails for privileged activity, data access, and configuration changes.

Incident response and breach notification

• Document runbooks for triage, containment, forensics, recovery, and notification timelines.
• Test tabletop exercises and maintain evidence of lessons learned and control improvements.

Business continuity and backups

• Protect PHI with immutable backups, tested restores, and clear RPO/RTO targets.
• Harden backup identities and networks; separate duties between backup and production admins.

Service-Specific Compliance Considerations

Compute and containers

• Harden images, patch routinely, and restrict administrative endpoints to private networks.
• Segment workloads by sensitivity; isolate PHI workloads in dedicated subscriptions and VNets.
• Scan images for vulnerabilities and secrets before deployment; use managed identities for access.

Storage and databases

• Require private endpoints, block public access, and enable soft delete and versioning for recovery.
• Use granular authorization (RBAC and resource-level ACLs) with conditional policies.
• Turn on auditing for query access, admin actions, and key operations; monitor anomalous patterns.

Networking

• Adopt a private-by-default stance using private endpoints, network security groups, and firewalls.
• Route egress through inspection controls; enable DDoS protection for internet-facing endpoints.
• Encrypt site-to-site and client VPNs; restrict administrative access paths with just-in-time rules.

Serverless and integration

• Validate that triggers, bindings, and connectors are covered for PHI workflows before use.
• Store secrets only in Key Vault; never embed credentials or PHI in configuration or code.
• Set strict data retention on event streams and queues to the minimum necessary.

Analytics and AI

• De-identify or pseudonymize data when possible; restrict raw PHI to tightly controlled zones.
• Mask sensitive fields in query tools; enforce row-level and column-level security.
• Govern export paths to prevent PHI from leaving controlled environments.

Compliance Resources and Guidance

Operational playbook

• Establish a compliance program charter with executive sponsorship and defined control owners.
• Map Azure controls to the HIPAA Security Rule and record control evidence and testing cadence.
• Use built-in policy initiatives and security posture dashboards to measure adherence.

Engineer for auditability

• Tag assets handling PHI; maintain system inventories, data flow diagrams, and architecture decisions.
• Automate baseline configurations and gate deployments on passing compliance checks.
• Package evidence—policies, screenshots, logs, and reports—into review-ready artifacts.

Vendor and service intake

• Require a BAA for any downstream service touching PHI and verify its covered-service list.
• Assess data residency, subprocessor chains, and exit strategies before onboarding.

Implementing Security Controls in Azure

Identity and Access Controls

• Centralize identity in Microsoft Entra ID with MFA, Conditional Access, and device compliance.
• Apply least privilege with RBAC; use Privileged Identity Management and access reviews.
• Enable just-enough administration via management groups, custom roles, and scoped assignments.

Data protection and Encryption Requirements

• Turn on encryption at rest everywhere; prefer customer-managed keys in Key Vault or Managed HSM.
• Use TLS for all endpoints; enforce private endpoints and disable public network access where feasible.
• Apply application-layer protections such as field-level encryption for highly sensitive PHI.

Monitoring and Auditing

• Collect platform, resource, and application logs into a dedicated workspace with immutable retention.
• Enable threat detection, baseline deviations, and alert routing to an on-call rotation.
• Continuously assess configuration drift against policy; remediate automatically when safe.

Configuration management and change control

• Use infrastructure-as-code with peer review and approvals; record change tickets and deployments.
• Scan templates for policy violations before merge; block noncompliant changes.

Resilience and recovery

• Design for high availability; test backup restores and regional failover regularly.
• Protect backups with separate credentials, private networks, and immutable storage.

Summary

Azure can support HIPAA requirements when you have a signed Business Associate Agreement, restrict PHI to covered services, and implement strong Access Controls, Encryption Requirements, and Monitoring and Auditing. Treat compliance as an ongoing program backed by clear ownership, automation, and solid Regulatory Compliance Documentation.

FAQs

What is a Business Associate Agreement in Azure?

A Business Associate Agreement is the contract under which Microsoft acts as a business associate for designated Azure services. It enables you to process Protected Health Information on those services when you meet your own HIPAA obligations, including proper configuration, monitoring, and documentation.

Which Azure services are covered under HIPAA BAA?

Only services explicitly designated as in scope are covered, and coverage can change over time. Common categories include core compute, storage, databases, networking, key management, and security posture services. Always confirm the current in-scope list before using a service with PHI.

How do I configure Azure for HIPAA compliance?

Obtain and file the BAA, restrict PHI to covered services, implement least-privilege Access Controls, enforce encryption in transit and at rest with managed keys, centralize logging and Monitoring and Auditing, perform risk analysis, document controls against the HIPAA Security Rule, and test incident response and recovery.

Does Microsoft ensure HIPAA compliance by default?

No. Microsoft secures the platform and offers covered services, but compliance depends on how you configure and operate your workloads. You must implement required safeguards, validate them continuously, and maintain thorough Regulatory Compliance Documentation.