Microsoft Business Associate Agreement

Updated March 25, 2024

Microsoft Business Associate Agreement (BAA) - If you use Microsoft 365 (Office, Word, OneDrive), you might have wondered: Is Microsoft 365 HIPAA-compliant? And, if so, how do I sign a BAA with Microsoft?

On this page ...

Key Points

  1. Yes, Microsoft 365 is HIPAA-compliant if you have a Microsoft 365 Business Standard or Business Premium account.

  2. Microsoft establishes a BAA with covered entities "by default."

  3. A link to the Microsoft Business Associate Agreement (BAA) is contained within the Microsoft Online Services Data Protection Addendum.

  4. As of January 2024, the BAA is located here: Microsoft General - HIPAA BAA (October 2021).

Proviso: This information is based on my understanding. I am a psychologist. I am not an attorney.

Back to top

Microsoft Business Associate Agreement: Important Details

1. Microsoft 365 Business Accounts

As noted above, Microsoft 365 is HIPAA-compliant if you have a Microsoft 365 Business Standard or Business Premium account.

The Microsoft 365 Business Premium account offers these additional security protections:

  • Advanced identity and access management.
  • Enhanced cyberthreat protection against viruses and phishing attacks.
  • Enterprise-grade device and endpoint protection.
  • Discover, classify, and protect sensitive information.

2. BAA with Covered Entities by Default

Under the subheading, "Frequently asked questions" on the Microsoft HIPAA & HITECH web page is the following:

Can my organization enter into a BAA with Microsoft?

Yes. Microsoft offers its covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services.

The Microsoft HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA. See 'Microsoft in-scope cloud services' on this webpage for the list of cloud services covered by this BAA.

Note: the table listing 'Microsoft in-scope cloud services' is immediately above the Frequently asked questions section, under the subheading, Office 365 applicability and in-scope services

↑ Back to top ↑

3. Microsoft Online Services Data Protection Addendum

Microsoft indicates: "When you subscribe to a Product under the terms of the Product Terms site, the data processing and security terms are defined in Microsoft Online Services Data Protection Addendum (DPA)."

IMPORTANT: Check the most recent Microsoft Online Services Data Protection Addendum, which is updated once or twice a year, to ensure you find the most recent Microsoft Business Associate Agreement.

In the January 2024 Addendum, a link to the BAA was on page 11 under the subheading "HIPAA Business Associate".

↑ Back to top ↑

4. Microsoft HIPAA BAA

You can download the BAA here: Microsoft General - HIPAA BAA (October 2021) [updated 3 Dec 2021].

But, as above, make sure that is the most recent Microsoft Business Associate Agreement (BAA) by reviewing the current Microsoft Online Services Data Protection Addendum.

↑ Back to top ↑

Caution: I am Not an Attorney

All of this information is based on my understanding. I am a psychologist. I am not an attorney. So, I could be wrong. 

Of course, much of the information available about HIPAA and HITECH compliance is written for large healthcare organizations who can afford to hire healthcare law firms to decipher the legalese and ensure that policies and procedures comply with the laws.

Healthcare organizations can also afford to hire IT professionals to implement security procedures consistent with HIPAA and related laws.

Solo practitioners and small group practices have to struggle through the best we can, which is, as the Talking Heads sang many years ago, the same as it ever was ...

↑ Back to top ↑

Why is a BAA Important?

For clinical psychologists, having a Business Associate Agreement (BAA) with a cloud storage service is necessary to comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA sets the standard for protecting sensitive patient data in the United States. When you a healthcare provider works with a third-party service that may handle or have access to protected health information (PHI), that entity is considered a business associate.

Here are key reasons why a BAA is essential:

1. Compliance with HIPAA Regulations: The BAA ensures that the cloud storage provider agrees to comply with HIPAA regulations in terms of protecting PHI. This includes implementing safeguards to prevent unauthorized use or disclosure of the information.

2. Data Security: The BAA should specify the security measures the cloud service will implement to protect PHI. This can include encryption, access controls, and regular security audits.

3. Audit and Compliance Assurance: A BAA can provide mechanisms for ensuring compliance through audits or assessments, giving the psychologist assurance that the cloud service is maintaining the required standards for PHI protection.

4. Trust and Professionalism: Having a BAA in place demonstrates to your clients that you take the confidentiality and security of their health information seriously.

5. Legal Protection: In the event of legal scrutiny or litigation, a BAA serves as a documented agreement that you have taken steps to ensure that your business associates are handling PHI in a compliant manner.

↑ Back to top ↑

What Do You Think?

iconImage of the Google sign-in icon

I value your feedback!

If you would like to comment, ask questions, or offer suggestions about this page, please feel free to do so. Of course, keep it clean and courteous.

You can leave an anonymous comment if you wish–just type your first name.

If you want to receive an email when someone replies to your comment, click the icon on the lower right of the comment box to use Google Sign-in. (Your email remains private.) 

Important: Do not type your email address or other identifying information into your comment as it will appear on the Internet for everyone to see ... and for spam bots to harvest so that spammers can sell your email address to other spammers.

HTML Comment Box is loading comments...

How did you build this website?

I used Solo Build It! to build this website in 2004 and still use it today, especially for the extremely helpful business guidance and the superior search engine optimization.

Note: If you click on one of these links and you decide to purchase Solo Build It! I earn a small affiliate commission. Your cost is the same either way. If you do not want me to earn an affiliate commission, just google "solo build it".