BBAA Atlas

Is Microsoft Azure HIPAA compliant?

Cloud infrastructure · vendor site ↗

Signs a BAAPHI with conditionsSOC 2 Type II
Will Microsoft Azure sign a HIPAA BAA?
Yes — Microsoft Azure will sign a HIPAA Business Associate Agreement (BAA).
Microsoft enters into HIPAA Business Associate Agreements with covered-entity and business-associate customers. The BAA is made available by default through the Microsoft Products and Services Data Protection Addendum (DPA), covering in-scope services including Azure and Azure Government.
PHI eligibility
PHI may be stored and transmitted once the BAA (available by default via the DPA) is in effect and the customer uses in-scope Microsoft cloud services; the customer remains responsible for its own HIPAA compliance program.
SOC 2
SOC 2 Type II
Trust center
learn.microsoft.com
Sub-processors
servicetrust.microsoft.com
Notes
BAA applies to in-scope services (Azure, Azure Government, Azure DevOps, Dynamics 365, Microsoft 365, Power Platform, Intune). Microsoft will not use a customer's own BAA template. Azure SOC 2 Type 2 reports are issued semi-annually.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Microsoft Azure before storing PHI.

Get notified when this changes

We track Microsoft Azure's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Microsoft Azure

Yes — Microsoft Azure will sign a HIPAA Business Associate Agreement (BAA).

Request routeBy request — via trust center or support
  1. 1
    Confirm your account is covered
    Microsoft enters into HIPAA Business Associate Agreements with covered-entity and business-associate customers. The BAA is made available by default through the Microsoft Products and Services Data Protection Addendum (DPA), covering in-scope services including Azure and Azure Government.
  2. 2
    Request the Business Associate Agreement
    Microsoft Azure provides the BAA on request. Open a request through Microsoft Azure's trust center and ask for the current Business Associate Agreement covering your plan.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI may be stored and transmitted once the BAA (available by default via the DPA) is in effect and the customer uses in-scope Microsoft cloud services; the customer remains responsible for its own HIPAA compliance program. Match your configuration to this scope before putting protected health information into Microsoft Azure.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Microsoft Azure before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Microsoft Azure sign a HIPAA Business Associate Agreement (BAA)?
Yes — Microsoft Azure will sign a HIPAA Business Associate Agreement (BAA). Microsoft enters into HIPAA Business Associate Agreements with covered-entity and business-associate customers. The BAA is made available by default through the Microsoft Products and Services Data Protection Addendum (DPA), covering in-scope services including Azure and Azure Government.
Is Microsoft Azure HIPAA compliant?
Microsoft Azure can be used in a HIPAA-compliant way: it signs a Business Associate Agreement (BAA), which HIPAA requires before you process PHI with a vendor. PHI may be stored and transmitted once the BAA (available by default via the DPA) is in effect and the customer uses in-scope Microsoft cloud services; the customer remains responsible for its own HIPAA compliance program.
Can you store PHI (protected health information) in Microsoft Azure?
PHI may be stored and transmitted once the BAA (available by default via the DPA) is in effect and the customer uses in-scope Microsoft cloud services; the customer remains responsible for its own HIPAA compliance program.
Is Microsoft Azure SOC 2 certified?
Microsoft Azure reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Microsoft Azure?
Microsoft Azure provides the BAA on request. Open a request through Microsoft Azure's trust center and ask for the current Business Associate Agreement covering your plan. Confirm current terms directly with Microsoft Azure before storing PHI.
What plan do I need to sign a BAA with Microsoft Azure?
Microsoft enters into HIPAA Business Associate Agreements with covered-entity and business-associate customers. The BAA is made available by default through the Microsoft Products and Services Data Protection Addendum (DPA), covering in-scope services including Azure and Azure Government.

Sources

HIPAA & HITECH Act — Microsoft Compliance
https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech
Supports: Microsoft signs HIPAA BAAs available by default via the DPA; lists in-scope cloud services including Azuredated: 2025-07-29
SOC 2 Type 2 — Azure Compliance
https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-soc-2
Supports: Azure undergoes independent third-party SOC 2 Type 2 audits covering Azure, Dynamics 365, Power Platform and select M365dated: 2023-04-04
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Microsoft Azure before processing protected health information.

Check another vendor

Amazon Web Services (AWS)Signs a BAADigitalOceanBAA on select plansGoogle Cloud Platform (GCP)Signs a BAAActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plans

See all HIPAA compliant cloud infrastructure & hosting
Browse all 105 vendors by category →