Is Microsoft Teams HIPAA Compliant? What Healthcare Practices Need to Know
Microsoft Teams can be used in a HIPAA-compliant way. The Business Associate Agreement that HIPAA requires is extended by default to qualifying accounts, so the harder question is not whether Microsoft Teams can hold PHI, but whether your configuration actually earns that protection.
Microsoft Teams is a HIPAA in-scope service under the Microsoft 365 Business Associate Agreement, which Microsoft extends by default to eligible customers. Teams can hold PHI once that BAA applies and the service is configured correctly.
Plan / requirement: Covered by the Microsoft 365 BAA on Business Standard, Business Premium, Enterprise, or Government plans. Teams is explicitly an in-scope service.
Sources: Microsoft HIPAA/HITECH compliance offering (Teams in-scope) How do I make Teams HIPAA compliant? (Microsoft Q&A). Last verified 2026-06-14.
What HIPAA actually requires here
HIPAA does not certify software. It requires that any vendor handling Protected Health Information on your behalf sign a Business Associate Agreement and uphold the Security Rule safeguards. For Microsoft Teams, that mechanism works like this:
No separate signing. The Microsoft HIPAA BAA is included in the Online Services Data Protection Addendum by default and covers Teams as an in-scope service.
The conditions that decide whether you are actually covered:
- Teams is in-scope only on BAA-eligible Microsoft 365 plans, not on free or consumer tiers.
- The BAA alone is not compliance; Teams must be configured with appropriate controls.
Where the vendor stops and you begin
The most expensive misunderstanding in healthcare practices is assuming a signed BAA finishes the job. It does not. Compliance is shared:
| Where responsibility sits |
|---|
| Microsoft secures the platform and extends the BAA covering Teams. |
| You enforce MFA, control external access and guest sharing, and set meeting and chat retention. |
| You restrict recording and transcription of PHI conversations to covered, access-controlled storage. |
Compliance review
Not sure your Microsoft Teams setup holds up to an audit?
Cobrix runs a configuration review against the actual healthcare rules your practice operates under, then fixes what does not pass.
Configuring Microsoft Teams the right way
A defensible Microsoft Teams deployment in a healthcare practice comes down to a short, ordered checklist:
- Confirm the tenant is on a BAA-eligible Microsoft 365 plan.
- Enforce MFA via Conditional Access for all Teams users.
- Restrict external and guest access in clinical or PHI-bearing teams.
- Control meeting recording and transcription so PHI is not stored outside covered services.
- Apply retention and DLP policies to Teams chat and channel messages.
Mistakes that quietly void compliance
- Using a free Teams or personal Microsoft account for PHI, which carries no BAA.
- Leaving guest access open so external parties reach PHI channels.
- Recording clinical meetings to uncontrolled locations.
Where Cobrix fits
Cobrix is a California MSP/MSSP that configures and monitors tools like Microsoft Teams for healthcare practices, then documents the controls so they survive an audit. The software gives you the BAA; the configuration, monitoring, and paper trail are what actually keep you compliant. That is the part we own.
Free resource
Microsoft Teams HIPAA setup checklist
The exact configuration steps above, formatted as a printable checklist your team can work through and keep on file.
Frequently asked questions
Is Microsoft Teams HIPAA compliant?
Microsoft Teams is a HIPAA in-scope service under the Microsoft 365 Business Associate Agreement, which Microsoft extends by default to eligible customers. Teams can hold PHI once that BAA applies and the service is configured correctly.
How do I get a BAA with Microsoft Teams?
No separate signing. The Microsoft HIPAA BAA is included in the Online Services Data Protection Addendum by default and covers Teams as an in-scope service.
What plan do I need for Microsoft Teams to be HIPAA compliant?
Covered by the Microsoft 365 BAA on Business Standard, Business Premium, Enterprise, or Government plans. Teams is explicitly an in-scope service.
Does a BAA alone make Microsoft Teams compliant?
No. HIPAA compliance follows a shared-responsibility model. The vendor secures the platform; your practice is responsible for configuration, access controls, and staff handling of PHI.