Update 2/26/18: We’ve posted a new article on this, as the interface and the process to get your BAA has changed. Read here: Get your HIPAA BAA from Microsoft.

If your organization falls under any sort of HIPAA regulations, you’re probably already familiar with the term Business Associates Agreement (BAA). You generally need to have those for all contractors that could potentially have access to protected health information (PHI). Microsoft will provide you one if you are user of Office 365, but it’s a bit tricky to find on their site. Let us help you track it down.

1. Log into your Office 365 account with an account administrator logon.

2. Click on the “App” button in the upper left corner (the one with nine dots on it).

3. Click on “Admin”.

4. You should get a menu of items you can adjust. Depending on the Office 365 console version you have (which generally depends on the age of your account), you will either see a list on the left side of options or you’ll need to scroll down to see your options. If you have a list on the left side, select “Billing –> Subscriptions”. If your options are on the bottom of your page, select “View and Edit Subscriptions” under “Billing”.

5. On the next page, scroll down and under “Resources” click on “Optional Privacy and Security Contractual Supplements”.

6. On that page you should see the “Office 365 and CRM Online HIPAA/HITECH Business Associate Agreement.” That check off the box for that agreement, provide your electronic signature, and click “accept.”

7. After clicking accept, you’ll want to print out or save a copy of the agreement and provide it to your HIPAA security officer for their recordkeeping.

There are also several other settings, procedures and caveats regarding Office 365 and the HIPAA/HITECH Act that you’ll need to consider. Microsoft has that document for your perusal here.