- Home
- Professional Services
- Microsoft Business Associate Agreement
Microsoft Business Associate Agreement
Updated March 25, 2024
Microsoft Business Associate Agreement (BAA) - If you use Microsoft 365 (Office, Word, OneDrive), you might have wondered: Is Microsoft 365 HIPAA-compliant? And, if so, how do I sign a BAA with Microsoft?
On this page ...
- Key Points
- Important Details
- Microsoft 365 Business Accounts
- BAA with Covered Entities by Default
- Microsoft Online Services Data Protection Addendum
- Microsoft HIPAA BAA
- Caution: I am Not an Attorney
- Why is a BAA Important?
- Comments
Key Points
- Yes, Microsoft 365 is HIPAA-compliant if you have a Microsoft 365 Business Standard or Business Premium account.
- Microsoft establishes a BAA with covered entities "by default."
- A link to the Microsoft Business Associate Agreement (BAA) is contained within the Microsoft Online Services Data Protection Addendum.
- As of January 2024, the BAA is located here: Microsoft General - HIPAA BAA (October 2021).
Proviso: This information is based on my understanding. I am a psychologist. I am not an attorney.
Microsoft Business Associate Agreement: Important Details
1. Microsoft 365 Business Accounts
As noted above, Microsoft 365 is HIPAA-compliant if you have a Microsoft 365 Business Standard or Business Premium account.
The Microsoft 365 Business Premium account offers these additional security protections:
- Advanced identity and access management.
- Enhanced cyberthreat protection against viruses and phishing attacks.
- Enterprise-grade device and endpoint protection.
- Discover, classify, and protect sensitive information.
2. BAA with Covered Entities by Default
Under the subheading, "Frequently asked questions" on the Microsoft HIPAA & HITECH web page is the following:
Can my organization enter into a BAA with Microsoft?
Yes. Microsoft offers its covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services.
The Microsoft HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA. See 'Microsoft in-scope cloud services' on this webpage for the list of cloud services covered by this BAA.
Note: the table listing 'Microsoft in-scope cloud services' is immediately above the Frequently asked questions section, under the subheading, Office 365 applicability and in-scope services.
3. Microsoft Online Services Data Protection Addendum
Microsoft indicates: "When you subscribe to a Product under the terms of the Product Terms site, the data processing and security terms are defined in Microsoft Online Services Data Protection Addendum (DPA)."
IMPORTANT: Check the most recent Microsoft Online Services Data Protection Addendum, which is updated once or twice a year, to ensure you find the most recent Microsoft Business Associate Agreement.
In the January 2024 Addendum, a link to the BAA was on page 11 under the subheading "HIPAA Business Associate".
4. Microsoft HIPAA BAA
You can download the BAA here: Microsoft General - HIPAA BAA (October 2021) [updated 3 Dec 2021].
But, as above, make sure that is the most recent Microsoft Business Associate Agreement (BAA) by reviewing the current Microsoft Online Services Data Protection Addendum.
Caution: I am Not an Attorney
All of this information is based on my understanding. I am a psychologist. I am not an attorney. So, I could be wrong.
Of course, much of the information available about HIPAA and HITECH compliance is written for large healthcare organizations who can afford to hire healthcare law firms to decipher the legalese and ensure that policies and procedures comply with the laws.
Healthcare organizations can also afford to hire IT professionals to implement security procedures consistent with HIPAA and related laws.
Solo practitioners and small group practices have to struggle through the best we can, which is, as the Talking Heads sang many years ago, the same as it ever was ...
Why is a BAA Important?
For clinical psychologists, having a Business Associate Agreement (BAA) with a cloud storage service is necessary to comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA sets the standard for protecting sensitive patient data in the United States. When you a healthcare provider works with a third-party service that may handle or have access to protected health information (PHI), that entity is considered a business associate.
Here are key reasons why a BAA is essential:
1. Compliance with HIPAA Regulations: The BAA ensures that the cloud storage provider agrees to comply with HIPAA regulations in terms of protecting PHI. This includes implementing safeguards to prevent unauthorized use or disclosure of the information.
2. Data Security: The BAA should specify the security measures the cloud service will implement to protect PHI. This can include encryption, access controls, and regular security audits.
3. Audit and Compliance Assurance: A BAA can provide mechanisms for ensuring compliance through audits or assessments, giving the psychologist assurance that the cloud service is maintaining the required standards for PHI protection.
4. Trust and Professionalism: Having a BAA in place demonstrates to your clients that you take the confidentiality and security of their health information seriously.
5. Legal Protection: In the event of legal scrutiny or litigation, a BAA serves as a documented agreement that you have taken steps to ensure that your business associates are handling PHI in a compliant manner.
What Do You Think?
Image of the Google sign-in iconI value your feedback!
If you would like to comment, ask questions, or offer suggestions about this page, please feel free to do so. Of course, keep it clean and courteous.
You can leave an anonymous comment if you wish–just type your first name.
If you want to receive an email when someone replies to your comment, click the icon on the lower right of the comment box to use Google Sign-in. (Your email remains private.)
Important: Do not type your email address or other identifying information into your comment as it will appear on the Internet for everyone to see ... and for spam bots to harvest so that spammers can sell your email address to other spammers.
How did you build this website?
I used Solo Build It! to build this website in 2004 and still use it today, especially for the extremely helpful business guidance and the superior search engine optimization.
Note: If you click on one of these links and you decide to purchase Solo Build It! I earn a small affiliate commission. Your cost is the same either way. If you do not want me to earn an affiliate commission, just google "solo build it".
Navigation
Like or Share on Facebook
Monthly Newsletter
Psychological Insights for Veterans Law Attorneys
→ More info, including previous issues.
↓ Subscribe via QR code ↓
How did you build this website?
I use the Solo Build It! website creation and business guidance program for solo entrepreneurs. I used SBI! it to build this website in 2004 and still use it today, especially for the superior search engine optimization.
Note: If you click on one of these links and you decide to purchase Solo Build It! I earn a small affiliate commission. Your cost is the same either way. If you do not want me to earn an affiliate commission, just google "solo build it".