Is Microsoft 365 HIPAA Compliant? What Healthcare Practices Need to Know
Microsoft 365 can be used in a HIPAA-compliant way. The Business Associate Agreement that HIPAA requires is extended by default to qualifying accounts, so the harder question is not whether Microsoft 365 can hold PHI, but whether your configuration actually earns that protection.
Microsoft 365 can be used in a HIPAA-compliant way. Microsoft extends its HIPAA Business Associate Agreement by default to eligible customers through the Online Services Data Protection Addendum, with no separate document to sign.
Plan / requirement: Business Standard, Business Premium, Enterprise, or Government plans qualify. Microsoft 365 Business Premium is Cobrix's standard stack.
Sources: Microsoft HIPAA/HITECH compliance offering Microsoft General HIPAA BAA (Service Trust Portal). Last verified 2026-06-14.
What HIPAA actually requires here
HIPAA does not certify software. It requires that any vendor handling Protected Health Information on your behalf sign a Business Associate Agreement and uphold the Security Rule safeguards. For Microsoft 365, that mechanism works like this:
The BAA is included automatically in Microsoft's Online Services Data Protection Addendum (DPA). A copy can be retrieved from the Microsoft Service Trust Portal for your compliance records.
The conditions that decide whether you are actually covered:
- The BAA covers Microsoft's in-scope online services only, not third-party add-ins from the marketplace.
- Compliance follows a shared-responsibility model: Microsoft secures the platform, you configure it.
Where the vendor stops and you begin
The most expensive misunderstanding in healthcare practices is assuming a signed BAA finishes the job. It does not. Compliance is shared:
| Where responsibility sits |
|---|
| Microsoft secures the underlying cloud platform and signs the BAA. |
| You are responsible for enabling MFA, configuring access controls, setting data-loss-prevention and retention policies, and training staff. |
| ePHI placed in unconfigured or personal-tier accounts falls outside the BAA's protection. |
Compliance review
Not sure your Microsoft 365 setup holds up to an audit?
Cobrix runs a configuration review against the actual healthcare rules your practice operates under, then fixes what does not pass.
Configuring Microsoft 365 the right way
A defensible Microsoft 365 deployment in a healthcare practice comes down to a short, ordered checklist:
- Confirm your tenant is on a BAA-eligible plan (Business Premium or higher).
- Enforce multi-factor authentication for every user via Entra ID Conditional Access.
- Turn on audit logging and configure retention to meet your documentation requirements.
- Apply data-loss-prevention policies that flag or block ePHI leaving the tenant.
- Restrict third-party app consent so unvetted add-ins cannot reach mailbox data.
- Download and file the BAA from the Service Trust Portal.
Mistakes that quietly void compliance
- Assuming a personal or Microsoft 365 Family account carries the BAA. It does not.
- Leaving MFA optional, which is the single most common finding in OCR investigations.
- Installing marketplace add-ins that touch mailbox PHI without a separate agreement.
Where Cobrix fits
Cobrix is a California MSP/MSSP that configures and monitors tools like Microsoft 365 for healthcare practices, then documents the controls so they survive an audit. The software gives you the BAA; the configuration, monitoring, and paper trail are what actually keep you compliant. That is the part we own.
Free resource
Microsoft 365 HIPAA setup checklist
The exact configuration steps above, formatted as a printable checklist your team can work through and keep on file.
Frequently asked questions
Is Microsoft 365 HIPAA compliant?
Microsoft 365 can be used in a HIPAA-compliant way. Microsoft extends its HIPAA Business Associate Agreement by default to eligible customers through the Online Services Data Protection Addendum, with no separate document to sign.
How do I get a BAA with Microsoft 365?
The BAA is included automatically in Microsoft's Online Services Data Protection Addendum (DPA). A copy can be retrieved from the Microsoft Service Trust Portal for your compliance records.
What plan do I need for Microsoft 365 to be HIPAA compliant?
Business Standard, Business Premium, Enterprise, or Government plans qualify. Microsoft 365 Business Premium is Cobrix's standard stack.
Does a BAA alone make Microsoft 365 compliant?
No. HIPAA compliance follows a shared-responsibility model. The vendor secures the platform; your practice is responsible for configuration, access controls, and staff handling of PHI.