BBAA Atlas

Is Microsoft 365 (Office 365) HIPAA compliant?

Productivity suite · vendor site ↗

BAA on select plansPHI with conditionsSOC 2 Type II
Will Microsoft 365 (Office 365) sign a HIPAA BAA?
Sometimes — Microsoft 365 (Office 365) signs a HIPAA BAA only on specific plans or add-ons.
Microsoft's HIPAA BAA is included by default through the Data Protection Addendum for commercial/enterprise customers covering in-scope services; Microsoft will not sign a customer's own BAA form, and free accounts are excluded.
PHI eligibility
PHI may be stored in in-scope services (Exchange Online, SharePoint, OneDrive, Teams) under the default BAA, provided the customer configures the services to meet HIPAA; PHI is not permitted in contact lists/directories.
SOC 2
SOC 2 Type II
Trust center
servicetrust.microsoft.com
Sub-processors
servicetrust.microsoft.com
Notes
BAA applies to commercial paid/enterprise services, not free accounts. Microsoft also holds ISO 27001 and HITRUST CSF; SOC 2 reports are in the Service Trust Portal.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Microsoft 365 (Office 365) before storing PHI.

Get notified when this changes

We track Microsoft 365 (Office 365)'s BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Microsoft 365 (Office 365)

Sometimes — Microsoft 365 (Office 365) signs a HIPAA BAA only on specific plans or add-ons.

Request routeBy request — via trust center or support
  1. 1
    Get on a qualifying plan
    Microsoft's HIPAA BAA is included by default through the Data Protection Addendum for commercial/enterprise customers covering in-scope services; Microsoft will not sign a customer's own BAA form, and free accounts are excluded.
  2. 2
    Request the Business Associate Agreement
    Microsoft 365 (Office 365) provides the BAA on request. Open a request through Microsoft 365 (Office 365)'s trust center and ask for the current Business Associate Agreement covering your plan.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI may be stored in in-scope services (Exchange Online, SharePoint, OneDrive, Teams) under the default BAA, provided the customer configures the services to meet HIPAA; PHI is not permitted in contact lists/directories. Match your configuration to this scope before putting protected health information into Microsoft 365 (Office 365).
Before you sign — watch for
  • No BAA on the free / consumer tier — you must be on a qualifying paid plan first.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Microsoft 365 (Office 365) before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Microsoft 365 (Office 365) sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — Microsoft 365 (Office 365) signs a HIPAA BAA only on specific plans or add-ons. Microsoft's HIPAA BAA is included by default through the Data Protection Addendum for commercial/enterprise customers covering in-scope services; Microsoft will not sign a customer's own BAA form, and free accounts are excluded.
Is Microsoft 365 (Office 365) HIPAA compliant?
Microsoft 365 (Office 365) can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). PHI may be stored in in-scope services (Exchange Online, SharePoint, OneDrive, Teams) under the default BAA, provided the customer configures the services to meet HIPAA; PHI is not permitted in contact lists/directories.
Can you store PHI (protected health information) in Microsoft 365 (Office 365)?
PHI may be stored in in-scope services (Exchange Online, SharePoint, OneDrive, Teams) under the default BAA, provided the customer configures the services to meet HIPAA; PHI is not permitted in contact lists/directories.
Is Microsoft 365 (Office 365) SOC 2 certified?
Microsoft 365 (Office 365) reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Microsoft 365 (Office 365)?
Microsoft 365 (Office 365) provides the BAA on request. Open a request through Microsoft 365 (Office 365)'s trust center and ask for the current Business Associate Agreement covering your plan. Confirm current terms directly with Microsoft 365 (Office 365) before storing PHI.
What plan do I need to sign a BAA with Microsoft 365 (Office 365)?
Microsoft's HIPAA BAA is included by default through the Data Protection Addendum for commercial/enterprise customers covering in-scope services; Microsoft will not sign a customer's own BAA form, and free accounts are excluded.

Sources

HIPAA & HITECH Act — Microsoft Compliance
https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech
Supports: BAA included by default via DPA; in-scope Office 365 services; BAA alone insufficientdated: 2026-04-08
Microsoft HIPAA Business Associate Agreement
https://servicetrust.microsoft.com/DocumentPage/d60051b9-8b5a-4794-9844-033773faaeb0
Supports: BAA document locationdated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Microsoft 365 (Office 365) before processing protected health information.

Check another vendor

Google WorkspaceBAA on select plansActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plans

See all HIPAA compliant docs & collaboration tools
Browse all 105 vendors by category →