Vendor BAA Guide

Does Microsoft Azure Sign a HIPAA Business Associate Agreement?

Q: Does Microsoft Azure sign a HIPAA BAA?

Yes — Microsoft Azure signs a HIPAA BAA as part of the Microsoft Online Services Terms (OST). The BAA is included at no additional cost and covers hundreds of Azure services. Customers accept it when they agree to the Online Services Terms — no separate paperwork is required for most services.

Q: How do I activate the Azure HIPAA BAA?

The Azure HIPAA BAA is included in the Microsoft Online Services Terms (OST), which customers accept when signing up for Azure. There is no separate activation step required for most services. Review the Microsoft HIPAA/HITECH compliance documentation to understand which services are covered.

Q: Which Azure services are covered under the HIPAA BAA?

Hundreds of Azure services are covered, including Azure Blob Storage, Azure SQL Database, Azure Virtual Machines, Azure Active Directory, Azure Kubernetes Service, Azure Functions, Azure App Service, and many more. Microsoft publishes a full list of HIPAA-eligible services. Always check the current list before deploying PHI workloads to a new service.

Q: Is Azure HIPAA compliant for storing PHI?

Azure provides the infrastructure and BAA to support HIPAA-compliant storage and processing of PHI. However, HIPAA compliance is a shared responsibility — you must also implement proper access controls, encryption, audit logging, and operational safeguards in your own applications and workflows running on Azure.

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read

Key Takeaways

✓ Yes — Azure's HIPAA BAA is included in the Microsoft Online Services Terms at no extra cost
✓ Hundreds of Azure services are covered, including Storage, SQL, VMs, and Active Directory
✓ No separate paperwork required — BAA is accepted when you agree to the Online Services Terms
✓ Azure provides HIPAA architecture guides and compliance blueprints for healthcare workloads

Direct answer: Yes — Microsoft Azure signs a HIPAA BAA as part of its Online Services Terms (OST). The BAA is available to all Azure customers at no additional cost and is accepted automatically when you agree to the OST. Hundreds of Azure services are covered. Always verify the current HIPAA-eligible services list before deploying PHI workloads to a new Azure service.

How Azure's HIPAA BAA Works

Azure's HIPAA Business Associate Agreement is embedded in the Microsoft Online Services Terms (OST) and Microsoft Products and Services Agreement (MPSA). Unlike many vendors that require separate paperwork or a sales call, Microsoft makes the BAA part of its standard customer agreement.

When your organization signs up for Azure and accepts the Online Services Terms, you are accepting the BAA provisions for all HIPAA-eligible Azure services. There is no additional form to complete, no check-box to click, and no sales representative required for most deployments.

This is one of Azure's significant advantages for healthcare organizations — the compliance framework is built into the commercial relationship from day one.

Azure Services Covered Under the HIPAA BAA

Microsoft maintains a comprehensive list of HIPAA-eligible services. The following table shows common services used in healthcare workloads:

Azure Service	HIPAA BAA Covered?	Common Healthcare Use
Azure Blob Storage	Yes	Medical imaging storage, document archiving
Azure SQL Database	Yes	EHR data storage, claims processing
Azure Virtual Machines	Yes	Healthcare application hosting
Azure Active Directory	Yes	Identity and access management
Azure Kubernetes Service	Yes	Containerized healthcare apps
Azure Functions	Yes	Serverless healthcare workflows
Azure App Service	Yes	Patient portal hosting
Azure Cognitive Services / AI	Yes (most services)	Clinical NLP, medical imaging AI
Azure Data Factory	Yes	HL7/FHIR data pipelines
Azure API for FHIR	Yes	FHIR-compliant health data exchange

This is not an exhaustive list. Microsoft publishes a full HIPAA-eligible services list at their Trust Center. Always check the current list before deploying PHI to a new Azure service.

Azure's Shared Responsibility Model for HIPAA

Having a BAA with Microsoft Azure means Microsoft accepts responsibility for the security and compliance of Azure's infrastructure. However, HIPAA compliance under the shared responsibility model means your organization is also responsible for:

Configuring Azure services securely (encryption at rest and in transit, network controls)
Implementing access controls and identity management (Azure AD, RBAC)
Enabling and reviewing audit logs (Azure Monitor, Azure Security Center)
Your applications running on Azure — the BAA covers Azure infrastructure, not your code
Executing BAAs with any SaaS vendors or third-party tools integrated with your Azure environment

Azure HIPAA Architecture Resources

Microsoft provides substantial HIPAA compliance support for healthcare organizations:

Azure HIPAA/HITECH Compliance Blueprint — reference architecture for healthcare workloads
Azure Policy definitions for HIPAA controls
Microsoft Defender for Cloud health score aligned to HIPAA controls
Azure Health Data Services (FHIR, DICOM, MedTech service)

Also see our related guide: Does Microsoft 365 sign a HIPAA BAA?

Frequently Asked Questions

Does Microsoft Azure sign a HIPAA BAA?

Yes — Azure's HIPAA BAA is included in the Microsoft Online Services Terms, accepted by all Azure customers. No additional paperwork required for most services.

How do I activate the Azure HIPAA BAA?

It is activated automatically when you accept the Microsoft Online Services Terms. Review the HIPAA-eligible services list at Microsoft's Trust Center to confirm which services are covered for your specific use case.

Which Azure services are covered under the HIPAA BAA?

Hundreds of services are covered including Azure Blob Storage, SQL Database, Virtual Machines, Active Directory, AKS, and Azure API for FHIR. Check Microsoft's current HIPAA-eligible services list before deploying PHI to any new service.

Is Azure HIPAA compliant for storing PHI?

Azure infrastructure is covered and the BAA is in place. Your organization is responsible for configuring services securely, implementing access controls, and ensuring the applications running on Azure are also compliant.

For a broader look at which vendors sign HIPAA BAAs, see our vendor BAA lookup guide.

Note: Vendor BAA policies change. Verify current terms directly with Microsoft Azure before making compliance decisions.

Need your side of the BAA?

Azure provides their BAA — but you still need to execute BAAs with all your other vendors. Generate one in minutes.

Generate BAA for Free →