What Microsoft says officially
Microsoft’s HIPAA and HITECH offering page says the company enters into a Business Associate Agreement with covered-entity and business-associate customers. The agreement is provided through Microsoft’s Data Protection Addendum by default rather than through a separately negotiated signature process.
The same page publishes the service boundary. Its commercial list includes Exchange Online, Forms, Microsoft Teams, Office Online, OneDrive for Business, SharePoint Online, and other named services. Government-cloud lists differ. A product name appearing somewhere in the Microsoft ecosystem is not enough; the organization should confirm that the exact service and cloud environment are in scope.
Microsoft’s compliance guidance also makes the division of responsibility explicit. A BAA supports the customer’s program but does not cause a deployment or workflow to meet HIPAA requirements automatically. That documented BAA and broad in-scope list support a positive verdict, with important conditions on use.
What this means for a medical practice
Microsoft 365 can carry PHI through many routes. An intake arrives in Forms, creates an email in Exchange, saves an attachment in OneDrive, posts a notification in Teams, and is later copied to SharePoint. Each individual service may appear on Microsoft’s list while the workflow still exposes too much information through broad sharing, a guest account, a forwarding rule, or an unreviewed connector.
Consumer Microsoft accounts are also not interchangeable with a practice-managed tenant. The practice needs ownership of identities, licenses, access policies, and offboarding. Personal OneDrive or Outlook use should not be assumed to fall under the organization’s contract.
This is the vendor-chain issue behind a HIPAAconscious medical website : the website is only one entry point. Our healthcare marketing guide likewise separates public outreach data from clinical communications that need tighter controls.
How to use it safely
- Confirm the practice’s licensing agreement incorporates the current Microsoft Data Protection Addendum and retain the BAA terms.
- Check each service and cloud environment against Microsoft’s current in-scope list before placing PHI there.
- Use organization-managed accounts, multifactor authentication, least-privilege roles, and prompt offboarding.
- Restrict external sharing, guest access, forwarding, public links, and unmanaged device downloads according to the practice’s risk analysis.
- Set retention and deletion rules for email, files, chats, recordings, and audit records.
- Inventory Power Automate flows, add-ins, marketplace apps, backup tools, and other connectors separately. Obtain agreements where required.
- Test a representative patient workflow and record where every copy is created.
Compliant alternatives
Google Workspace provides a BAA acceptance path and a published list of included functionality for organizations that prefer Google’s managed suite. Zoom offers a narrower video-conferencing route through eligible paid accounts and its own BAA.
Assign an administrator to review Microsoft’s current in-scope list and tenant configuration after licensing, feature, integration, or organizational changes.
Bottom line
Microsoft documents a BAA that applies by default to eligible customers and lists major Microsoft 365 services in scope. Use only those listed services inside a managed tenant, then configure identities, sharing, retention, and connected apps as part of the practice’s own compliance program.