How do make Teams HIPAA Compliant?

Hi @John W. Bakaly, 

I hope you are doing well today.  

Based on the details you shared that you are looking for guidance on how to make Microsoft Teams HIPAA compliant, including the steps to sign a Business Associate Agreement (BAA). 

Microsoft Teams is not HIPAA compliant by default, which is why a few important steps are required before using it to handle Protected Health Information (PHI). This is because Teams must be paired with a qualifying Microsoft 365 plan, properly configured with the right security settings, and covered under a signed BAA with Microsoft before it can meet HIPAA standards. Without these elements in place, the platform alone cannot guarantee the privacy and security controls that HIPAA requires. 

Below are the steps to get your organization set up for HIPAA compliance on Microsoft Teams: 

1/ Confirm You Are on a Qualifying Plan 

• Not all Microsoft 365 plans support HIPAA compliance.  
• Please ensure your organization is subscribed to one of the following eligible plans: Microsoft 365 Business Basic or Standard, Office 365 E3 or E5, Microsoft 365 E3, E5, F3, or F5, or Microsoft Cloud for Healthcare (the most comprehensive option for healthcare organizations).  
• If you are on a free or basic standalone Teams plan, you will need to upgrade before proceeding. 

2/ Accept Microsoft's Business Associate Agreement (BAA) 

Microsoft provides the BAA through its Online Services Terms and Data Protection Addendum (DPA), you do not need to sign a separate document. Here is how to access it: 

• Sign in to the Microsoft 365 Admin Center at admin.microsoft.com 
• Navigate to Settings > Org Settings > Security & Privacy 
• Locate the Data Protection Addendum or review it directly at: https://aka.ms/DPA 
• Your organization formally accepts the BAA by using an in-scope Microsoft Online Service under a qualifying plan 

Please note: the BAA alone does not make Teams compliant, your configuration must also meet HIPAA standards. 

3/ Configure Microsoft Teams with the Required HIPAA Security Settings (admin only)

Once your BAA is in place, please apply the following security configurations in your Microsoft 365 Admin Center and Teams Admin Center: 

• Enable Multi-Factor Authentication (MFA) 
  • Go to Azure Active Directory > Security > MFA and require MFA for all users who will access PHI through Teams. 
• Set Up Data Loss Prevention (DLP) Policies 
  • In the Microsoft Purview Compliance Portal, create DLP policies to automatically detect and block the sharing of PHI in Teams chats, channels, and files. 
• Enable Audit Logging 
  • In the Microsoft Purview Compliance Portal, turn on Audit Log Search so your organization can track and monitor all PHI access and sharing activity within Teams. 
• Configure Conditional Access Policies 
  • In Azure Active Directory, set conditional access rules to ensure only compliant, managed devices can access Teams with PHI. 
• Restrict Guest and External Access 
  • In the Teams Admin Center, limit external and guest access to only what is strictly necessary, and apply strict permissions to control what those users can view or do. 
• Apply Retention Policies 
  • In Microsoft Purview, configure retention policies to ensure PHI is stored and removed according to your organization's HIPAA requirements. 

For your information that you can conern: 

• For call and meeting recordings, please be aware that Teams' native recording feature alone does not meet HIPAA standards. A certified third-party compliance recording solution is recommended. 
• Review all third-party apps integrated with Teams to confirm they are also HIPAA compliant before use. 
• Provide HIPAA training to all staff members who will use Teams to handle PHI. 

Should you need further assistance with any of the steps above, please do not hesitate to reply to this email and we will be happy to guide you through. You may also visit our official HIPAA compliance documentation at Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HITECH) Act - Microsoft Compliance | Microsoft Learn for additional reference. 

I hope this response has helped address your question and clarify the behavior you're experiencing. Please feel free to reply if you have any further questions, I would be happy to assist further.    

Thank you for your patience and your understanding. I look forward to continuing the conversation.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have any extra questions about this answer, please click "Comment".             

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

Microsoft Teams is already a HIPAA in-scope service under Microsoft 365 when used under the Microsoft HIPAA Business Associate Agreement (BAA) and configured with appropriate compliance controls. Making Teams “HIPAA compliant” is a combination of: (1) having a valid HIPAA BAA with Microsoft that covers Teams, and (2) configuring and using Teams in a way that supports HIPAA requirements.

Below are the steps based on the provided information.

1. Confirm Teams is an in-scope HIPAA service

• Microsoft Teams is listed as an in-scope service for HIPAA/HITECH under Office 365/Microsoft 365.
• This means Teams is covered by Microsoft’s HIPAA BAA when the BAA is in place.

See the “Office 365 and HIPAA” section, which explicitly lists Microsoft Teams as an in-scope service.

2. Ensure a HIPAA BAA with Microsoft is in place

• Microsoft offers a HIPAA Business Associate Agreement to covered entities and business associates.
• The Microsoft HIPAA BAA is available through the Microsoft Online Services Data Protection Addendum (DPA) / Product Terms and is automatically included for eligible customers using in-scope services.
• For Microsoft 365/Office 365, the HIPAA BAA is part of the Online Services Terms for customers who are covered entities or business associates and are storing PHI.

Key points from context:

• “Microsoft offers its covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services.”
• “The HIPAA Business Associate Agreement is also available for in-scope Microsoft Professional Services. Contact your Microsoft services representative for more information.”
• “Microsoft offers a HIPAA BAA as part of the Microsoft Product Terms (formerly Online Services Terms) to all customers who are covered entities or business associates under HIPAA for use with in-scope Azure services.”
• “HIPAA Business Associate Agreement (BAA) … is automatically included as part of the Online Services Terms and applies to customers who are covered entities or business associates and are storing PHI.”

Practical actions:

1. Verify that the organization is a HIPAA covered entity or business associate.
2. Review the Microsoft Product Terms / Online Services Terms and Data Protection Addendum where the HIPAA BAA is incorporated.
3. If additional clarification is needed (for example, for Professional Services or complex environments), work with the Microsoft account or services representative to confirm that the BAA is in place and that Teams is covered.
4. Understand shared responsibility

• Under HIPAA, Microsoft (as a business associate) does not “make” an organization HIPAA compliant.
• Microsoft provides in-scope services (like Teams) and a HIPAA BAA; the healthcare organization remains responsible for configuring and using those services in a compliant way.

From the Azure Local HIPAA guidance (same model applies conceptually to Teams/M365):

• Covered entities must “independently analyze their unique technology environments and use cases and then plan and implement policies and procedures that comply with the requirements of the regulations.”
• Microsoft, as a business associate, offers the HIPAA BAA and compliant cloud capabilities but does not assure overall HIPAA compliance.

4. Use Teams’ compliance features to support HIPAA requirements Once the BAA is in place and Teams is an in-scope service, configure the compliance capabilities in Microsoft 365/Teams that help protect PHI and support HIPAA controls. The following features are specifically called out for Teams:

1. Information barriers

• Prevent certain users or groups from communicating or discovering each other.
• Useful where HIPAA or organizational policy requires strict separation of roles or departments.

2. Retention policies

• Control how long Teams data (chat, channel messages, files) is kept or when it must be deleted.
• Supports HIPAA record retention and data minimization requirements.

3. Communication compliance

• Detect and act on risky communications (offensive content, sharing of sensitive information, etc.).
• Helps reduce communication risks around PHI disclosure.

4. Policy-based recording for calls and meetings

• Automatically record and store calls/meetings when required for compliance, retention, or analysis.
• Important if clinical or PHI-related consultations are recorded.

5. Sensitivity labels

• Classify and protect sensitive information by enforcing privacy and access controls.
• Can be used to restrict access to PHI-related Teams, channels, and content.

6. Microsoft Purview Data Loss Prevention (DLP) for Teams

• Create rules to detect and control sharing of sensitive data (for example, health IDs, SSNs, other identifiers).
• Can block or warn on attempts to send PHI outside allowed boundaries.

7. eDiscovery and Legal hold

• eDiscovery: Search and retrieve Teams content for legal or regulatory investigations.
• Legal hold: Preserve content (even if users delete it) when required for legal or regulatory reasons.

These features do not by themselves guarantee HIPAA compliance but are the primary technical controls in Teams/Microsoft 365 that support HIPAA-related safeguards.

5. Leverage Teams’ underlying compliance posture

• Teams is built on the Microsoft 365 hyperscale, enterprise-grade cloud and is Tier D-compliant.
• Teams supports HIPAA and other major standards such as ISO 27001, ISO 27018, SSAE SOC 1 and SOC 2, EU Model Clauses, and Cloud Security Alliance compliance.
• This underlying compliance posture supports using Teams with PHI when combined with a BAA and proper configuration.

6. Internal steps to operationalize HIPAA use of Teams Based on the shared-responsibility and capabilities described in the context, a typical operational approach is:

1. Governance and risk assessment

• Perform a HIPAA risk analysis for the planned Teams use cases (clinical communications, telehealth, internal operations, etc.).
• Define which data types (PHI categories) are allowed in Teams and under what conditions.

2. Configure compliance features

• Implement retention policies for Teams chats, channels, and files.
• Configure DLP policies to detect and control PHI sharing.
• Apply sensitivity labels to PHI-related Teams and content.
• Enable information barriers where separation of duties or groups is required.
• Configure communication compliance policies for inappropriate or risky content.
• Set up policy-based recording if clinical or PHI-related calls/meetings must be recorded.

3. Access control and identity

• Use Microsoft Entra ID (Azure AD) security best practices (conditional access, MFA, least privilege) to protect access to Teams.

4. Training and procedures

• Train workforce members on acceptable use of Teams with PHI.
• Document procedures for handling PHI in chats, meetings, files, and recordings.

5. Monitoring and audit

• Use Microsoft 365 audit and eDiscovery capabilities to monitor access and activity related to PHI in Teams.
• Periodically review policies and logs as part of HIPAA security management processes.

7. Important clarifications about BAAs

• Microsoft cannot use a customer’s own BAA; the Microsoft HIPAA BAA is standardized for Microsoft’s hyperscale cloud.
• The Microsoft HIPAA BAA “reflects closely how we operate our cloud services” and was developed with healthcare stakeholders.

This means organizations must accept Microsoft’s standard HIPAA BAA (as incorporated into the Product Terms/DPA) rather than negotiating a custom BAA for Teams.

References:

• How Microsoft Teams helps industries (healthcare, financial services, etc.) meet compliance
• HIPAA (US)
• Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HITECH) Act
• Azure Local and HIPAA
• Compliance in Microsoft for Healthcare
• Security and compliance in Microsoft Teams
• Set up Microsoft Teams in your enterprise