Does Microsoft 365 sign a HIPAA BAA?

Yes. Microsoft includes a HIPAA Business Associate Agreement as part of the Microsoft Online Services Terms (OST) for commercial Microsoft 365 plans. Unlike many vendors, Microsoft does not require a separate contract — the BAA obligations are incorporated into the standard terms for Microsoft 365 Business, Enterprise, and Government plans.

Which Microsoft 365 services are covered under the HIPAA BAA?

Microsoft's BAA covers core Microsoft 365 services including Exchange Online (Outlook email), SharePoint Online, OneDrive for Business, Microsoft Teams, Microsoft Intune, Azure Active Directory, and Microsoft Purview (compliance tools). Consumer Microsoft products (Outlook.com, OneDrive personal, Xbox) are not covered.

How do I get a HIPAA BAA from Microsoft?

Microsoft's BAA is incorporated into the Online Services Terms (OST) automatically for eligible commercial plans — you do not need to request a separate document. To confirm BAA coverage, review the Microsoft OST and the HIPAA implementation guide in the Microsoft Trust Center. For Enterprise Agreements, you may also request a dedicated BAA through your Microsoft account representative.

Vendor BAA Guide

Does Microsoft 365 Sign a HIPAA Business Associate Agreement?

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read

Key Takeaways

✓ Yes — Microsoft includes a HIPAA BAA in its standard commercial terms (OST)
✓ No separate contract needed — the BAA is built into Microsoft 365 Business and Enterprise plans
✓ Covered: Exchange Online, SharePoint, OneDrive for Business, Teams, Intune
✓ Not covered: consumer Outlook.com, OneDrive personal, Xbox, consumer accounts
✓ You still need separate BAAs with every other vendor who accesses your Microsoft-stored PHI

Direct answer: Yes — Microsoft includes HIPAA Business Associate Agreement obligations in its Online Services Terms (OST) for Microsoft 365 commercial plans. No separate contract is required. The BAA covers core services including Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams on Business and Enterprise plans.

Microsoft 365 is one of the most widely used productivity suites in healthcare — from physician practices using Outlook for scheduling to health systems storing documents in SharePoint. If PHI flows through any Microsoft service, a HIPAA BAA with Microsoft is legally required. Fortunately, Microsoft has streamlined this process considerably.

How Microsoft's BAA Works

Unlike many vendors that require a manual contract request, Microsoft incorporates its HIPAA BAA into the Microsoft Online Services Terms (OST). When your organization subscribes to a qualifying Microsoft 365 commercial plan, the BAA obligations are automatically included — you don't need to separately request or sign a BAA document.

For organizations with an Enterprise Agreement (EA), your Microsoft account representative can also provide a separate signed BAA document if your compliance or legal team requires it.

Which Plans Are Covered?

Microsoft's HIPAA BAA applies to commercial Microsoft 365 plans including:

Microsoft 365 Business Basic, Standard, and Premium
Microsoft 365 Apps for Business and Enterprise
Microsoft 365 E3 and E5
Office 365 E1, E3, E5 (legacy plans)
Microsoft 365 Government (GCC, GCC High, DoD)

Not covered: Free Microsoft accounts, consumer Outlook.com, personal OneDrive, Xbox accounts, and Microsoft's consumer products. Personal Microsoft accounts cannot be used for PHI regardless of plan.

Which Services Are Covered Under Microsoft's HIPAA BAA?

Service	HIPAA BAA Coverage
Exchange Online (Outlook email)	✓ Covered
SharePoint Online	✓ Covered
OneDrive for Business	✓ Covered
Microsoft Teams	✓ Covered (including calls and chats)
Microsoft Intune (device management)	✓ Covered
Azure Active Directory	✓ Covered
Microsoft Purview (compliance tools)	✓ Covered
Microsoft Forms	✓ Covered
Outlook.com (consumer)	✗ Not covered
OneDrive personal (consumer)	✗ Not covered
LinkedIn, Bing, Xbox	✗ Not covered
Power Apps / Power Automate	Requires separate Azure BAA

What to Check in the Microsoft Trust Center

Microsoft's Trust Center (microsoft.com/en-us/trust-center) provides its current HIPAA compliance documentation including:

The HIPAA and HITECH compliance overview
The list of in-scope services updated by Microsoft
The Microsoft Online Services Terms that contain the BAA
Microsoft's HIPAA implementation guide (audit checklists)

Review the in-scope services list annually — Microsoft occasionally adds or removes services from HIPAA coverage.

What Else You Need After the Microsoft BAA

The Microsoft BAA covers Microsoft's obligations. Your organization's compliance obligations don't end there:

BAAs with other vendors — if staff share PHI via Microsoft Teams with a third-party telehealth app, that app needs its own BAA
Microsoft 365 third-party integrations — apps added through the Microsoft App Store each require their own BAA assessment
Azure services — if your organization uses Azure separately (e.g., for AI or database workloads involving PHI), Azure has its own BAA under the Azure OST
Your own policies — Microsoft provides compliant infrastructure; your organization must implement access controls, training, and audit log reviews

Still need BAAs with your other vendors?

Microsoft's BAA only covers Microsoft. Generate BAAs for your other business associates in minutes — free to start.

Generate BAA for Free →