HIPAA BAA and Microsoft 365: Configuration Requirements Guide 2026

The most dangerous misconception in healthcare IT is that signing a Microsoft EA automatically makes your M365 deployment HIPAA-compliant. It does not. Microsoft's HIPAA Business Associate Agreement establishes the legal framework for Microsoft to process PHI on your behalf — but the responsibility for implementing the 45+ required technical and administrative safeguards rests entirely with your organization. The OCR has levied $127M in HIPAA penalties since 2020, with misconfigured cloud environments accounting for a growing share. In our review of 50+ health system M365 deployments, 68% had at least one configuration gap that would constitute a HIPAA technical safeguard failure.

This guide covers the HIPAA BAA scope for M365, the specific configurations required for compliance, the licensing implications of those configurations, and the audit log retention requirements that most organizations underestimate.

1. How Microsoft's HIPAA BAA Works

Microsoft's HIPAA BAA is not a separately negotiated document — it is incorporated within Microsoft's standard Online Services Terms (OST) and Data Protection Addendum (DPA). When you sign a Microsoft Enterprise Agreement or purchase M365 through any channel, the HIPAA BAA terms are automatically included. You do not need to request, negotiate, or execute a separate BAA.

What the BAA establishes: Microsoft agrees to act as a Business Associate when processing PHI on your behalf, implement appropriate safeguards, report breaches, return or destroy PHI at contract termination, and comply with applicable HIPAA requirements in its role as a cloud service provider. Critically, the BAA does not make Microsoft responsible for your organization's HIPAA compliance — Microsoft's responsibility covers its infrastructure and service operations. Your organization remains responsible for all covered entity and business associate obligations in your own operations.

2. HIPAA BAA Covered Services in M365

3. HIPAA Technical Safeguard Configuration Requirements

HIPAA's Security Rule (45 CFR §164.312) requires implementation of specific technical safeguards. For M365 deployments, these requirements translate into specific configurations across multiple administrative consoles. Here is what must be configured — and which M365 plan is required for each.

Access Control (§164.312(a)(1))

Requirement: Unique user identification, emergency access procedure, automatic logoff, encryption and decryption. M365 implementation: Entra ID conditional access policies (requires Azure AD P1, included in E3) with device compliance enforcement; Intune compliance policies; BitLocker encryption via Intune for Windows devices; session timeout policies.

Licensing implication: Conditional access (required) is in E3. Per-user MFA enforcement (required) is in E3. If you want risk-based conditional access using Identity Protection signals, you need Entra ID P2 (included in E5 or purchasable as add-on at $6/user/month).

Audit Controls (§164.312(b))

Requirement: Hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI. M365 implementation: Microsoft 365 Unified Audit Log must be enabled (it is NOT enabled by default in all tenants — verify this immediately). Exchange Online audit logging must be configured for mailbox-level access events. SharePoint access logs, Teams meeting recordings, and file access events must be retained.

Audit log retention by plan: M365 E3 retains audit logs for 90 days. M365 E5 or Purview Audit Premium extends to 1 year. For 6-year HIPAA policy documentation retention, you must export audit logs to Azure Monitor or a SIEM. The Purview Audit Premium retention policy extension to 10 years requires additional licensing.

Integrity Controls (§164.312(c)(1))

Requirement: Protect ePHI from improper alteration or destruction. M365 implementation: SharePoint version history (enabled by default), Exchange Online litigation hold for clinical communications, OneDrive recycle bin and version history. For clinical data workflows on SharePoint, enable IRM (Information Rights Management) to prevent unauthorized modification of clinical documents.

Person Authentication (§164.312(d))

Requirement: Verify that a person seeking access to ePHI is the one claimed. M365 implementation: Multi-factor authentication enforced via conditional access for all accounts with access to clinical data. Hardware-based FIDO2 security keys (supported via Entra ID) provide the strongest authentication for high-risk clinical roles.

Transmission Security (§164.312(e)(1))

Requirement: Guard against unauthorized access to ePHI transmitted over electronic communications networks. M365 implementation: Exchange Online encrypts all email in transit (TLS 1.2+). Teams uses SRTP for media and TLS for signaling. SharePoint and OneDrive use HTTPS exclusively. Microsoft 365 Message Encryption (OME) is available for sensitive patient communications to external recipients — requires E3 or above.

4. DLP Policy Configuration for PHI

Microsoft Purview DLP policies can detect and restrict sharing of PHI patterns across Exchange Online, Teams, SharePoint, and OneDrive. Effective PHI DLP requires policies covering the 18 HIPAA identifiers defined in the Privacy Rule: names, geographic data, dates, phone numbers, SSNs, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number.

Microsoft provides a built-in HIPAA/HITECH sensitive information type template in Purview DLP that covers the primary PHI identifiers. However, the default template requires tuning: it generates high false-positive rates in clinical document workflows where clinical terminology naturally resembles sensitive data patterns. Expect 2–4 weeks of policy tuning before DLP is operational in production.

Licensing requirement: DLP for Exchange and SharePoint is included in M365 E3. DLP for Teams chat and channel messages requires E5 or E5 Compliance add-on. For health systems where clinical staff communicate PHI via Teams messages (which they will), E3-only deployments have a DLP gap for Teams content.

5. The Minimum Viable HIPAA Configuration Checklist

6. Audit Log Retention: The Underestimated Requirement

HIPAA requires covered entities to retain documentation of policies, procedures, and security activities for 6 years. For operational audit logs (who accessed what, when), OCR investigations and breach litigation routinely request 12–24 months of logs. Understanding the default retention by M365 plan — and the cost of extending it — is essential for healthcare licensing decisions.

For most healthcare organizations, the practical approach is: E3 for clinical staff with audit logs exported to Azure Monitor Log Analytics (approximately $2.76/GB/month for healthcare audit data volume) for 2-year retention, plus E5 Compliance for privacy/compliance/IT staff who need full Purview capabilities. This approach typically costs $4–$8/user/month less than upgrading all clinical staff to E5 while meeting audit retention requirements for HIPAA purposes.

7. Common HIPAA Configuration Failures in M365 Healthcare Deployments

Based on our review of 50+ health system M365 tenants, these are the seven most common HIPAA configuration failures encountered in practice:

1. Unified Audit Log disabled (34% of tenants). This is the most common and most serious finding. In newer tenants, audit logging is enabled by default; in tenants migrated from on-premises Exchange, it often was not. Verify status in the Purview Compliance Center under Audit → Start recording user and admin activity.

2. Legacy authentication not blocked (41% of tenants). SMTP, IMAP, and basic authentication protocols do not support MFA. They represent open channels for credential-based attack. Block legacy authentication via conditional access policies immediately.

3. Teams external federation unrestricted (58% of tenants). By default, Teams allows federation with any other Teams tenant, including consumer accounts. Clinical staff can inadvertently share PHI with external unverified parties. Restrict federation to approved organizational domains only.

4. Consumer Copilot not blocked (63% of tenants). copilot.microsoft.com is a consumer service not covered by the HIPAA BAA. Clinical staff prompted to use AI assistants often default to the consumer Copilot if M365 Copilot is not deployed. Block via Entra ID application policy and network filtering.

5. SharePoint external sharing unrestricted (29% of tenants). Default SharePoint configuration allows sharing with any authenticated Microsoft account. Clinical document libraries with PHI must be restricted to internal users or verified clinical partner domains only.

6. Mobile device management not enforced (47% of tenants). Conditional access policies are configured but not enforced with device compliance requirements. Clinical staff access Exchange on personal iPhones without MDM enrollment. This creates a HIPAA access control gap for PHI accessed on unmanaged devices.

7. DLP policies not tuned for clinical content (72% of tenants). Either DLP is not deployed at all, or the default HIPAA template generates so many false positives in clinical document workflows that it has been disabled or set to audit-only mode. A tuned DLP policy requires clinical content expertise — medical terminology, common clinical document formats, and the distinction between PHI and general medical language.

8. Frequently Asked Questions

Which Microsoft 365 services are covered by the HIPAA BAA?

Microsoft's HIPAA BAA covers Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Intune, Entra ID premium tiers, and most M365 enterprise compliance features. Consumer services including Bing, consumer Copilot, and Microsoft account-based services are excluded. Always verify at Microsoft's Trust Center before deploying PHI workloads to any service.

Do you need to sign a separate HIPAA BAA with Microsoft?

No. Microsoft's HIPAA BAA terms are incorporated in the standard Online Services Terms and Data Protection Addendum. There is no separate document to negotiate or sign. However, verify that the services you use are in Microsoft's current covered services documentation at the Trust Center.

Is Microsoft Teams HIPAA compliant by default?

No. Teams is covered by the BAA but requires specific configurations for HIPAA compliance: retention policies, external federation restrictions, conditional access enforcement, audit logging, and DLP policy deployment. Default Teams configuration is not HIPAA-compliant.

What is the minimum M365 plan for HIPAA compliance?

Microsoft 365 E3 is the minimum practically viable plan for clinical users handling PHI. E1 lacks Intune (required for MDM) and has insufficient conditional access capabilities for PHI on personal devices. E5 or E5 Compliance is required only for organizations needing Insider Risk Management, advanced eDiscovery, or 1-year audit log retention without exporting to external storage.

How long must Microsoft 365 audit logs be retained for HIPAA?

HIPAA requires 6-year retention for policy and procedure documentation. For operational access logs, OCR investigations typically request 12–24 months. M365 E3 retains audit logs for 90 days by default. E5 or Purview Audit Premium extends to 1 year. For longer retention, export to Azure Monitor or a SIEM. The Purview Audit Premium retention policy can be extended to 10 years.