Get a HIPAA BAA from Microsoft for Office 365

Click on Security and Compliance

Years ago we posted a tip on how to get your business associate agreement (BAA) from Microsoft if you used their Office 365 services. The process has changed a bit now, so we decide to revisit that topic in a new article: Here’s how you get your BAA for Microsoft’s online services.

It used to be a much-more complicated process, but now it’s fairly straightforward as you’re automatically enrolled and no action is required unless you want to opt out of the BAA. Here’s how to make verify your profile is all setup properly and get yourself a copy of the BAA for your records:

  • Log into your Office 365 account with an admin-level account. Hit the 9-dot-menu and click on “Security and Compliance”
  • Click on the settings area under “Service Assurance”:
  • Make sure your region is set to “North America” and your “Industry” is set to “Healthcare.”
  • After you hit save, you’ll see under “Service Assurance” the “Trust Documents” section. In that vast number of links, there is one for the “Azure HIPAA Hitech Implementation Guide”:
  • On page four of that guide, you’ll find a link to the Online Services Teams which basically states that Microsoft Includes execution of the HIPAA BAA as part of customer’s agreement when they sign up for Microsoft’s online services.
  • If you need a copy of Microsoft’s BAA for your records, you can find it here. You can see the rest of Microsoft’s HIPAA Compliance documents here.
  • If you need to opt out of the BAA, the Azure HIPAA HITECH guide has directions to do so.

So long story short, if you sign-up for Office 365, the BAA is executed when you agree to the licensing terms.

Comment : 1
1 comment
  • David T

    I looked at the document you highlighted above, Azure HIPPA HITECH Implementation Guide, and under the section where it describes which services are covered, Office 365 email is not listed. I also saw in a previous guide you posted that there is some requirement to notify Microsoft who the HIPPA compliance officer of the business should be so they have a contact to send notices to in case of a breach or other incident. I’ll keep looking.

Leave a Reply

Your email address will not be published.


- A Team That Supports Your
People, Not Just Your Technology