Does Microsoft Azure Sign a HIPAA Business Associate Agreement?

By BAA Generator Research Team  ·  Published Apr 19, 2026  ·  Last reviewed Apr 28, 2026  ·  4 min read

How Azure's HIPAA BAA Works

Azure's HIPAA Business Associate Agreement is embedded in the Microsoft Online Services Terms (OST) and Microsoft Products and Services Agreement (MPSA). Unlike many vendors that require separate paperwork or a sales call, Microsoft makes the BAA part of its standard customer agreement.

When your organization signs up for Azure and accepts the Online Services Terms, you are accepting the BAA provisions for all HIPAA-eligible Azure services. There is no additional form to complete, no check-box to click, and no sales representative required for most deployments.

This is one of Azure's significant advantages for healthcare organizations — the compliance framework is built into the commercial relationship from day one.

Azure Services Covered Under the HIPAA BAA

Microsoft maintains a comprehensive list of HIPAA-eligible services. The following table shows common services used in healthcare workloads:

This is not an exhaustive list. Microsoft publishes a full HIPAA-eligible services list at their Trust Center. Always check the current list before deploying PHI to a new Azure service.

Azure's Shared Responsibility Model for HIPAA

Having a BAA with Microsoft Azure means Microsoft accepts responsibility for the security and compliance of Azure's infrastructure. However, HIPAA compliance under the shared responsibility model means your organization is also responsible for:

• Configuring Azure services securely (encryption at rest and in transit, network controls)
• Implementing access controls and identity management (Azure AD, RBAC)
• Enabling and reviewing audit logs (Azure Monitor, Azure Security Center)
• Your applications running on Azure — the BAA covers Azure infrastructure, not your code
• Executing BAAs with any SaaS vendors or third-party tools integrated with your Azure environment

Azure HIPAA Architecture Resources

Microsoft provides substantial HIPAA compliance support for healthcare organizations:

• Azure HIPAA/HITECH Compliance Blueprint — reference architecture for healthcare workloads
• Azure Policy definitions for HIPAA controls
• Microsoft Defender for Cloud health score aligned to HIPAA controls
• Azure Health Data Services (FHIR, DICOM, MedTech service)

Also see our related guide: Does Microsoft 365 sign a HIPAA BAA?

Frequently Asked Questions

Does Microsoft Azure sign a HIPAA BAA?

Yes — Azure's HIPAA BAA is included in the Microsoft Online Services Terms, accepted by all Azure customers. No additional paperwork required for most services.

How do I activate the Azure HIPAA BAA?

It is activated automatically when you accept the Microsoft Online Services Terms. Review the HIPAA-eligible services list at Microsoft's Trust Center to confirm which services are covered for your specific use case.

Which Azure services are covered under the HIPAA BAA?

Hundreds of services are covered including Azure Blob Storage, SQL Database, Virtual Machines, Active Directory, AKS, and Azure API for FHIR. Check Microsoft's current HIPAA-eligible services list before deploying PHI to any new service.

Is Azure HIPAA compliant for storing PHI?

Azure infrastructure is covered and the BAA is in place. Your organization is responsible for configuring services securely, implementing access controls, and ensuring the applications running on Azure are also compliant.

For a broader look at which vendors sign HIPAA BAAs, see our vendor BAA lookup guide.