Microsoft HIPAA BAA: Where to Find It

Microsoft makes its HIPAA Business Associate Agreement available through the Microsoft Service Trust Portal. The shortcut shown in the video is aka.ms/baa, which redirects to the Service Trust Portal document page.

You may need to sign in with a Microsoft account tied to your organization before the portal shows the document. If your organization uses Microsoft 365 for work, sign in with the same work account you use for Microsoft 365 administration or compliance review.

Microsoft states that it offers a Business Associate Agreement for covered entity and business associate customers, and that the Microsoft HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default for customers covered under HIPAA.

That does not mean Microsoft 365 usage automatically makes an organization HIPAA compliant. Your organization still has to configure services appropriately, train staff, manage access, keep policies current, review vendors, and document how PHI is protected in day-to-day workflows.

After finding the Microsoft BAA, treat it as one piece of your vendor record. Record the vendor name, the service being used, whether the vendor may create, receive, maintain, transmit, or access PHI, and where the agreement evidence is stored.

If your organization uses Microsoft 365, SharePoint, OneDrive, Teams, Exchange Online, Power Platform, Azure, or other Microsoft cloud services for PHI-related work, review Microsoft's in-scope service list and confirm that your actual subscription and configuration match the way your organization intends to use the service.

This page is educational and is not legal, regulatory, or cybersecurity advice. For legal interpretation, contract questions, or organization-specific HIPAA obligations, involve qualified counsel or compliance advisors.