Vendor documentation review

Is Microsoft Teams HIPAA Compliant? (2026 Verdict)

Conditionally

Microsoft Teams is covered as an in-scope service under Microsoft's BAA for eligible customers, with tenant and workflow configuration still required.

Last verified:

At a glance

BAA available
Yes
Plan required
Eligible Microsoft commercial or government cloud license
Configuration required
Confirm BAA scope, manage identities, configure meetings and sharing, govern recordings and retention, and review apps.
Category
Video Conferencing

What Microsoft says officially

Microsoft’s HIPAA and HITECH offering page lists Microsoft Teams among in-scope commercial and government cloud services. It says the Microsoft BAA is available through the Data Protection Addendum by default to eligible covered entities and business associates.

That agreement covers the named Microsoft service, not every tenant configuration or third-party app. Teams administrators control meeting policies for areas such as participation, content sharing, and recordings. Microsoft separately documents recording management , including storage and policy behavior.

Teams therefore receives a conditional verdict. The vendor contract and in-scope status are documented, while the organization remains responsible for identities, policies, guests, apps, records, and its HIPAA program.

What this means for a medical practice

Teams can carry PHI through chat, channels, meetings, files, transcripts, recordings, whiteboards, notifications, and connected Microsoft services. A meeting recording may move into OneDrive or SharePoint. A channel may include guests. An app or bot may receive content from messages.

Using the same platform for internal collaboration and patient visits increases the need for clear boundaries. Staff should know where clinical communication is allowed, which teams and channels are private, and what must stay in the EHR. Patient access should not accidentally expose organizational directories or unrelated conversations.

Notifications can reveal information on lock screens and in email digests, while search can make old conversations easy to rediscover. Configure the tenant with those secondary surfaces in mind. Channel naming should avoid diagnoses, and staff should not move a patient discussion into a broader team merely because it is easier to find. Retention rules should be coordinated with the clinical record policy rather than left at convenience defaults.

A HIPAAconscious medical website can link to an approved visit but should not publish reusable meeting credentials or patient context. A careful patient engagement workflow gives participants support and privacy instructions without placing clinical facts in open notifications.

How to use it safely

  1. Confirm the practice’s license and cloud environment appear within Microsoft’s current BAA scope.
  2. Retain the applicable Data Protection Addendum and BAA terms with vendor records.
  3. Use managed identities, multifactor authentication, minimum roles, conditional access where appropriate, and prompt offboarding.
  4. Configure and lock meeting, guest, chat, federation, file-sharing, and external-access policies.
  5. Decide whether recording, transcription, AI, and whiteboards are allowed; document storage, access, and retention for each.
  6. Restrict private channels and patient meetings to intended participants and verify join behavior.
  7. Review marketplace apps, bots, connectors, EHR integrations, email, OneDrive, and SharePoint separately.
  8. Test a fictional encounter through invitation, joining, chat, files, recording, sharing, export, and deletion.

Compliant alternatives

Zoom offers a direct BAA workflow for eligible paid accounts and can provide a narrower standalone meeting environment. Google Meet is covered within an eligible managed Workspace organization after the administrator accepts Google’s BAA.

Repeat policy and app reviews whenever the tenant adds a clinical team, guest workflow, recording feature, or connector.

Bottom line

Microsoft Teams is an in-scope service under Microsoft’s BAA for eligible customers. Use it conditionally inside a managed tenant with deliberate meeting, guest, chat, recording, file, retention, and app policies.

Frequently asked questions

Does Microsoft's BAA cover Teams?

Yes. Microsoft lists Teams among in-scope commercial and government cloud services covered by its BAA for eligible customers.

Does a practice sign a separate Teams BAA?

Microsoft says its BAA is available through the Data Protection Addendum by default for eligible covered entities and business associates, rather than as a Teams-only agreement.

Are Teams apps covered automatically?

No. Marketplace apps, bots, connectors, and other third-party services require their own scope and contract review.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review