Is Microsoft Teams HIPAA Compliant?
Yes — Microsoft Teams can be HIPAA compliant with a qualifying Microsoft 365 plan, a signed BAA, and the right configuration. Unlike Zoom, Microsoft doesn't require a special healthcare add-on. But the BAA alone isn't enough — you need DLP policies, retention rules, and access controls in place.
Yes — with Microsoft 365 Business or Enterprise
Microsoft Teams is HIPAA-eligible when your organization has a qualifying Microsoft 365 plan and a signed Business Associate Agreement (BAA). But the BAA alone doesn't make you compliant — you must also configure DLP policies, retention rules, and access controls.
M365 Business / Enterprise + BAA
HIPAA-eligible
Free / Personal / Frontline F1
Not HIPAA compliant
Which Microsoft 365 Plans Are HIPAA Eligible?
Microsoft makes a Business Associate Agreement available to all customers on business and enterprise plans. But eligibility and full compliance readiness vary significantly by tier.
| Plan | Eligible | BAA | DLP | Notes |
|---|---|---|---|---|
| Microsoft 365 Business Basic | BAA available but no built-in DLP — requires manual controls | |||
| Microsoft 365 Business Standard | Most common for small practices. Add Microsoft Purview for DLP | |||
| Microsoft 365 Business Premium | Best value for healthcare — includes Purview DLP and Intune | |||
| Microsoft 365 E3 | Enterprise-grade. Full compliance suite included | |||
| Microsoft 365 E5 | Advanced eDiscovery, auto-labeling, and insider risk management | |||
| Microsoft Teams Free | No BAA, no admin controls, no audit logging | |||
| Microsoft Teams Essentials | No BAA available — not suitable for PHI |
Recommended for healthcare: Microsoft 365 Business Premium or E3. Both include the BAA, DLP policies via Microsoft Purview, Intune device management, and Conditional Access — covering the technical safeguards required by the HIPAA Security Rule.
How to Sign the Microsoft BAA
Unlike Zoom (which requires a special healthcare plan), Microsoft makes its Business Associate Agreement available to all business and enterprise subscribers at no extra cost. The process takes about 5 minutes.
Sign in to the Microsoft 365 Admin Center
Go to admin.microsoft.com with a Global Admin account. Only admins can accept the BAA on behalf of the organization.
Navigate to the HIPAA BAA amendment
Go to Settings → Org Settings → Organization Profile → HIPAA Business Associate Amendment. Microsoft makes this available automatically to all qualifying business and enterprise plan subscribers.
Review the BAA terms
Microsoft's BAA is standardized and non-negotiable. It covers Teams, Exchange Online, SharePoint Online, OneDrive for Business, and Azure. Verify the covered services match your workflows.
Accept the BAA electronically
Check the acknowledgment box and accept. The signed BAA takes effect immediately and applies to all licensed users on the tenant. Download a copy for your records.
Store the BAA with your compliance records
Per 45 CFR §164.530(j), you must retain BAAs for 6 years from the date of last effectiveness. Store alongside your other vendor agreements.
Document Teams in your risk assessment
Add Microsoft Teams as a system that processes ePHI. Record the safeguards in place, user access controls, and your incident response plan for a Microsoft-side breach.
8 Settings to Configure for HIPAA Compliance
Signing the BAA is step one. These configurations are step two — and the step most practices skip. Document each in your risk assessment.
Enable DLP policies for Teams
Microsoft Purview → Data Loss Prevention → Policies
Create a policy using the U.S. HIPAA template to detect PHI in Teams chats, channels, and shared files
Automatically flags or blocks messages containing SSNs, medical record numbers, or diagnosis codes
Restrict external sharing
Teams Admin Center → External Access
Disable external access or restrict to specific allowed domains only
Prevents staff from accidentally sharing PHI with users outside your organization
Disable guest access for clinical channels
Teams Admin Center → Guest Access
Turn off guest access globally, or restrict at the team/channel level for any channel handling PHI
Guest users bypass Conditional Access and may access PHI from unmanaged devices
Configure retention policies
Microsoft Purview → Data Lifecycle Management → Retention Policies
Set Teams chat and channel messages to retain for 6-7 years (HIPAA minimum: 6 years), then auto-delete
Meets HIPAA record retention requirements and limits breach exposure from old data
Enforce multi-factor authentication
Entra ID → Security → Conditional Access
Require MFA for all users accessing Teams, especially on mobile and personal devices
Stolen credentials alone can't access PHI without the second authentication factor
Restrict file downloads on unmanaged devices
Entra ID → Conditional Access → Session Controls
Block downloads from non-compliant or unmanaged devices. Allow browser-only access
PHI files won't be stored on personal devices that lack encryption or remote wipe
Enable audit logging
Microsoft Purview → Audit → Audit Search
Verify unified audit logging is enabled (on by default for E3/E5). Set up alerts for PHI-related activity
Required by the HIPAA Security Rule — you must track who accessed what and when
Disable third-party app access
Teams Admin Center → Teams Apps → Permission Policies
Block all third-party apps by default. Whitelist only those with their own BAA
Third-party apps are outside Microsoft's BAA scope — each needs its own compliance review
Tenant-level enforcement matters
Apply these settings at the tenant or group level — not per-user. Individual users can override per-user policies. Use Microsoft Entra ID groups to enforce policies across all clinical staff. Document your configuration in your HIPAA compliance checklist.
What Teams Features Are — and Aren't — Under the BAA
Microsoft's BAA covers core Teams functionality, but not every feature. Knowing the boundary prevents accidental HIPAA violations.
Covered Under Microsoft's BAA
Teams chat (1:1 and group)
Encrypted in transit and at rest via TLS 1.2+ and AES-256
Teams channel messages
Covered under BAA with retention policy support
Audio and video calls
SRTP encryption for media streams
Teams meetings (scheduled & ad hoc)
Including screen sharing, whiteboard, and recording
Files shared in Teams
Stored in SharePoint/OneDrive — both covered under BAA
Meeting recordings
Stored in OneDrive/SharePoint with access controls
Voicemail transcription
Covered when using Teams Phone with E5 or Phone System add-on
Not Covered or At Risk
Third-party app data
Apps from the Teams marketplace are outside Microsoft's BAA
Guest user activity
Guest access bypasses your tenant's Conditional Access policies
Personal Teams accounts
No BAA, no admin controls, no audit trail
Teams on unmanaged devices
PHI may be cached locally without encryption or remote wipe
Copilot AI outputs
AI-generated summaries may contain PHI — not yet covered under BAA
Teams encrypts all data by default
Unlike Zoom, Teams doesn't require a special healthcare plan to enable encryption. All business plans use TLS 1.2+ in transit and AES-256 at rest. The compliance gap is in administrative controls, not encryption. See our HIPAA encryption requirements guide for details.
5 Mistakes That Break Teams Compliance
Teams is one of the easier platforms to make HIPAA-compliant, but these configuration gaps show up repeatedly in risk assessments.
Using Teams without signing the BAA
Microsoft's BAA is opt-in — it doesn't apply automatically. Without it, any PHI in Teams is an immediate HIPAA violation, regardless of plan tier.
Fix: Accept the BAA in Microsoft 365 Admin Center → Org Settings → HIPAA BAA before any clinical use.
Allowing guest access to clinical channels
Guest users bypass your Conditional Access policies, MFA requirements, and DLP rules. PHI shared in a channel with guests is effectively unprotected.
Fix: Disable guest access globally or at the team level for any workspace handling PHI.
Skipping DLP policy configuration
Without DLP, clinicians can paste SSNs, diagnosis codes, and patient names into any Teams chat — including messages to external contacts.
Fix: Deploy Microsoft Purview DLP policies using the built-in U.S. HIPAA template.
No retention policies on Teams messages
Without retention policies, PHI persists indefinitely in chat history — or gets deleted by users before the 6-year retention period.
Fix: Set retention policies to preserve messages for 6-7 years via Microsoft Purview.
Installing third-party apps without BAA review
Marketplace apps can read Teams messages and files. They're outside Microsoft's BAA scope — each app needs its own compliance review.
Fix: Block all third-party apps by default. Whitelist only apps with signed BAAs.
These mistakes often overlap with broader compliance gaps. Run through our full HIPAA compliance checklist to catch what you're missing beyond Teams.
Teams vs. Zoom: HIPAA Compliance Compared
Both platforms can be HIPAA compliant, but they differ significantly in how much work you need to do — and what it costs. See our full Zoom HIPAA guide for details on Zoom's requirements.
| Category | Teams | Zoom | Edge |
|---|---|---|---|
| BAA availability | Included with all business/enterprise plans at no extra cost | Requires Healthcare plan (paid add-on, pricing not public) | TEAMS |
| Encryption | TLS 1.2+ in transit, AES-256 at rest — all plans | AES-256 GCM, optional E2EE — Healthcare plan only | TIE |
| DLP integration | Native Microsoft Purview DLP with HIPAA templates | No built-in DLP — requires third-party tools | TEAMS |
| Retention policies | Built-in via Microsoft Purview — chat, files, recordings | Limited — cloud recordings only, no chat retention | TEAMS |
| Device management | Intune + Conditional Access for managed devices | No native device management | TEAMS |
| Telehealth features | EHR integration, virtual visits, patient lobby | Dedicated telehealth UI, waiting room, patient intake | ZOOM |
| Cost for compliance | ~$22/user/mo (Business Premium) — all-in-one | $15-25/user/mo (Healthcare) + separate DLP/retention tools | TEAMS |
“If your practice already uses Microsoft 365, Teams is the easier path to HIPAA compliance. If you need purpose-built telehealth, Zoom for Healthcare has the better patient experience.”
Quick Reference: Teams HIPAA Compliance
Plans that qualify
Microsoft 365 Business Basic/Standard/Premium, E3, E5. Free, Personal, and Teams Essentials do not qualify.
BAA — free and automatic
Accept in Admin Center → Org Settings → HIPAA BAA. Non-negotiable, covers Teams + Exchange + SharePoint + OneDrive.
8 settings to configure
DLP policies, external sharing, guest access, retention, MFA, device restrictions, audit logging, third-party apps.
Document everything
Add Teams to your risk assessment. Train staff on which channels are for PHI. Review quarterly.
Related Tools & Guides
Is Zoom HIPAA Compliant?
Zoom compliance requirements, Healthcare plan, and settings checklist.
Best HIPAA Video Conferencing
Side-by-side comparison of Teams, Zoom, Doxy.me, and other platforms.
Best HIPAA Compliant Messaging
Secure messaging platforms for patient communication.
BAA Template Generator
Generate a customized Business Associate Agreement in minutes.
HIPAA Compliance Checklist
Step-by-step checklist for Privacy, Security, and Breach rules.