Microsoft HIPAA BAA: Covered Services, Requirements, and How to Sign

Overview of Microsoft HIPAA BAA

The Microsoft HIPAA Business Associate Agreement (BAA) is Microsoft’s standardized contract language for handling electronic protected health information (ePHI) within designated Online Services. It clarifies Microsoft’s role as a Business Associate and your role as a Covered Entity or Business Associate, outlining shared responsibilities that support HIPAA compliance.

In Microsoft’s model, the HIPAA terms are incorporated into the Data Protection Addendum (DPA) and the Microsoft Product Terms for specific services. When you procure eligible Azure Online Services or Microsoft 365 workloads, the BAA in the DPA generally applies without a separate, bespoke agreement.

You access documentation through the Microsoft Trust Center and the Service Trust Portal, where you can review, download, and manage artifacts needed for audits and vendor risk reviews. While the BAA sets contractual obligations, you still must configure services and implement safeguards to achieve HIPAA Compliance in your environment.

Covered Azure and Microsoft Services

The BAA applies only to services Microsoft designates as “HIPAA-eligible” or otherwise in scope in the Product Terms. Not every feature or SKU of a product is covered; you must confirm eligibility at the workload and sometimes feature level before storing ePHI.

• Azure Online Services: Common HIPAA-eligible building blocks include compute, storage, databases, networking, and integration services (for example, Azure Virtual Machines, Azure Storage, Azure SQL Database, Azure App Service, Azure Kubernetes Service, Azure Functions, Azure Logic Apps, and Azure Key Vault). Validate each service and feature against the Product Terms before use with ePHI.
• Microsoft 365: Core workloads such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams are typically in scope when properly configured. Apply data loss prevention, retention, and access controls aligned to your HIPAA policies.
• Dynamics 365 and Power Platform: Many capabilities are covered when used within compliant environments. Review connectors and integrations individually, as third-party apps or connectors may fall outside the BAA.

Keep your architecture constrained to HIPAA-eligible services, and document design decisions so auditors can trace where ePHI flows and rests.

BAA Requirements and Compliance

The BAA defines Microsoft’s commitments for designated services, but you remain responsible for administrative, physical, and technical safeguards under the HIPAA Security Rule. Think in terms of a shared responsibility model: Microsoft secures the underlying cloud platform; you configure and operate workloads securely.

• Access management: Enforce least-privilege, strong authentication, conditional access, and just-in-time elevation. Regularly review role assignments and group membership.
• Encryption: Use encryption in transit and at rest; manage keys in Azure Key Vault when appropriate. Confirm encryption coverage for backups, logs, and exported data.
• Auditability: Enable logging, retain logs to tamper-resistant stores, and monitor with alerting. Evidence collection is crucial for investigations and attestations.
• Data minimization and segmentation: Restrict ePHI to HIPAA-eligible services, use separate subscriptions or tenants where needed, and apply network and information barriers.
• Incident response and breach notification: Establish playbooks that align with the BAA and HIPAA timelines; verify contact paths and escalation procedures.
• Workforce training and policies: Train staff on acceptable use, data handling, and device security. Maintain written procedures that map to your configurations.

Compliance is ongoing: reassess risks, validate controls after service changes, and record evidence of your due diligence.

Steps to Access Microsoft BAA

You can review and obtain the BAA and related artifacts through Microsoft’s compliance portals. Use the following sequence to ensure you retrieve the correct, tenant-associated documents.

1. Confirm eligibility: Verify your organization is a HIPAA Covered Entity or Business Associate and that you plan to use only HIPAA-eligible services.
2. Sign in with an admin account: Use your tenant’s global admin or compliance admin credentials to access the Service Trust Portal.
3. Locate documents: Search for “HIPAA Business Associate Agreement,” “Data Protection Addendum,” and the “Microsoft Product Terms.”
4. Select scope and language: Choose the current version applicable to your agreement type (for example, Microsoft Customer Agreement, Enterprise Agreement, or CSP) and preferred language.
5. Download and archive: Save the BAA/DPA and any supporting reports for your internal repository, noting version and retrieval date for audit trails.

If you do not see the expected documents, confirm your role permissions and agreement status, then retry access or contact your licensing provider.

Signing and Acceptance Process

For most customers, no separate contract is required. The BAA for designated Online Services is incorporated into the DPA within the Microsoft Product Terms and becomes effective when you accept your master agreement and provision eligible services.

• Agreement-based acceptance: Under the Microsoft Customer Agreement, Enterprise Agreement, or similar instruments, acceptance of the terms generally includes the BAA for covered services.
• CSP scenarios: If you purchase via a Cloud Solution Provider, ensure your reseller relationship and agreement flow are established so the appropriate terms apply to your tenant.
• Documentation of acceptance: Record the acceptance date, the agreement identifier, and the BAA/DPA version in your compliance records.
• Custom needs: Organizations requiring tailored terms should coordinate with their Microsoft account team; custom BAAs are uncommon and may extend timelines.

Always validate that your internal policy recognizes agreement-based acceptance as a legally sufficient signature mechanism for your organization.

Downloading and Managing BAA Documentation

Strong documentation management supports audits and vendor risk reviews. Treat the BAA as a living document set that may update as services evolve.

• Central repository: Store the BAA, Data Protection Addendum, Product Terms excerpts, and relevant Microsoft Trust Center artifacts in a controlled repository.
• Versioning and retention: Track document versions, effective dates, and renewal or true-up cycles that might update terms.
• Evidence capture: Archive portal screenshots, access logs, and license confirmations that show your entitlement and acceptance.
• Review cadence: Schedule periodic reviews to align your configurations with any changes to service scope or contractual language.

Include BAA artifacts in third-party risk management packages you provide to auditors or upstream partners.

Understanding Microsoft Product Terms and Data Protection Addendum

The Microsoft Product Terms enumerate Online Services and define which are in scope for the HIPAA BAA. The Data Protection Addendum embeds privacy and security commitments, including HIPAA-specific obligations, that apply to those designated services.

Use the Product Terms to verify coverage for each workload and feature you plan to use with ePHI. Then map DPA clauses—like data processing roles, breach notification, subcontractor management, and security controls—to your policies and technical configurations. This alignment creates a clear thread from contract to control to evidence.

Conclusion

To use Microsoft cloud services with ePHI, limit data to HIPAA-eligible workloads, rely on the BAA within the DPA and Product Terms, and implement robust, documented controls. Access and archive the BAA via the Service Trust Portal, and maintain continuous governance so your technical posture and contractual commitments move in lockstep.

FAQs.

What Microsoft services are covered under the HIPAA BAA?

Coverage extends only to Online Services Microsoft designates as HIPAA-eligible in the Product Terms. This typically includes many Azure building blocks (compute, storage, databases, integration) and core Microsoft 365 workloads (Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams), plus selected Dynamics 365 and Power Platform capabilities. Validate each service—and sometimes specific features or connectors—before using them with ePHI.

How do I access the Microsoft HIPAA BAA document?

Sign in to the Service Trust Portal with an administrator account tied to your tenant. Search for the HIPAA Business Associate Agreement and the Data Protection Addendum, select the current version applicable to your agreement, and download it for your records. You can also navigate from the Microsoft Trust Center to reach the portal.

Is a separate contract required to sign the Microsoft BAA?

Generally no. For most customers, the BAA is incorporated into the Data Protection Addendum within the Microsoft Product Terms and becomes effective when you accept your master agreement (for example, Microsoft Customer Agreement or Enterprise Agreement) and provision eligible services. Keep a record of acceptance details for audit purposes.

What steps must be followed to ensure HIPAA compliance with Microsoft services?

Confirm HIPAA-eligible coverage for each workload, accept the applicable agreement that includes the BAA, and implement safeguards: strong identity and access controls, encryption in transit and at rest, logging and monitoring, data classification and DLP, incident response procedures, and workforce training. Continuously reassess risks and document evidence to demonstrate HIPAA Compliance over time.