HIPAA
Team Collaboration

Is Microsoft Teams HIPAA Compliant? M365 BAA & Configuration Guide

Microsoft Teams is HIPAA compliant when used with a Microsoft 365 Business or Enterprise subscription that includes a signed BAA. Teams is covered under Microsoft's comprehensive BAA along with other Microsoft 365 services like Outlook, OneDrive, and SharePoint. This makes Teams one of the most accessible HIPAA-compliant collaboration platforms for healthcare organizations.

Conditional — Microsoft Teams can be compliant with configuration

Microsoft Teams is HIPAA compliant with a Microsoft 365 Business or Enterprise BAA. The BAA covers Teams messaging, video, file sharing, and integrations with other M365 services. Configuration of DLP, retention, and access controls is required.

Compliance Assessment

AspectStatus
Data Encryption

Teams encrypts data in transit (TLS 1.2) and at rest (AES-256). End-to-end encryption is available for 1:1 calls.

Yes
Business Associate Agreement

Microsoft provides a BAA as part of Microsoft 365 Business and Enterprise agreements, covering Teams and other M365 services.

Yes
Access Controls

Azure AD provides SSO, MFA, Conditional Access policies, and role-based access controls for Teams and all M365 services.

Yes
Audit Logging

Microsoft 365 Compliance Center provides unified audit logs for Teams messages, meetings, file access, and admin actions.

Yes
Data Loss Prevention

Microsoft Purview DLP integrates with Teams to detect and block PHI in messages and files. Available on E3/E5 plans.

Yes
Information Barriers

Information barriers can prevent specific groups from communicating, useful for separating clinical and non-clinical staff.

With Configuration
Retention Policies

Microsoft Purview retention policies can be applied to Teams messages and files with customizable retention periods.

Yes
Compliance Recording

Policy-based recording for Teams calls and meetings is available through certified third-party solutions.

With Configuration
Sensitivity Labels

Microsoft Information Protection sensitivity labels can classify and protect Teams channels and files containing PHI.

With Configuration
Guest Access

Guest access in Teams allows external collaboration but introduces compliance risks. Must be carefully managed for PHI-related channels.

Partial

Business Associate Agreement (BAA)

BAA is available

Microsoft provides a BAA as part of the Microsoft 365 Online Services Terms for Business Basic, Business Standard, Business Premium, E1, E3, E5, F1, F3, and Government plans. The BAA covers Teams, Exchange Online, SharePoint Online, OneDrive for Business, and other core M365 services. No separate BAA request is needed — it is part of the standard agreement.

How to Make Microsoft Teams HIPAA Compliant

1

Ensure your Microsoft 365 subscription includes the BAA (Business or Enterprise plans) — verify in the Microsoft 365 Admin Center.

2

Enable MFA for all users via Azure AD Conditional Access policies.

3

Configure Microsoft Purview DLP policies to detect and protect PHI in Teams messages and shared files.

4

Set up retention policies for Teams messages and meeting recordings per HIPAA requirements.

5

Apply sensitivity labels to Teams channels and groups that handle PHI.

6

Restrict guest access to Teams channels that contain or discuss PHI.

Limitations

  • Free Teams (consumer version) is not covered by the Microsoft 365 BAA.
  • DLP and advanced compliance features require E3 or E5 licenses.
  • Third-party Teams apps and connectors are not covered under the Microsoft BAA.
  • End-to-end encryption for calls disables some features like recording and transcription.
  • Guest access can introduce compliance risks if not properly restricted.

Alternative Tools & Related Assessments

HIPAA

Zoom

Video Conferencing

HIPAA

Google Workspace

Productivity Suite

HIPAA

HIPAA-Compliant Video Conferencing

Video Conferencing

HIPAA

Slack

Team Messaging

Related Resources

hipaa security rulehipaa access controlhipaa privacy rulehipaa risk assessmenthipaa phihipaa baaencryption at resthipaa security rule

Frequently Asked Questions

Is Microsoft Teams HIPAA compliant?

Yes. Microsoft Teams is HIPAA compliant when used with a Microsoft 365 Business or Enterprise subscription. The BAA is included in the standard Microsoft Online Services Terms and covers Teams along with other M365 services.

Does Microsoft offer a BAA for Teams?

Yes. The Microsoft BAA covers Teams as part of the Microsoft 365 Online Services Terms. It is automatically included — no separate request is needed for Business and Enterprise plans.

Can doctors use Teams for patient video calls?

Yes. Teams supports HIPAA-compliant video conferencing with a BAA. Enable meeting passwords, waiting rooms, and configure recording policies for telehealth use.

Is Teams more compliant than Slack for healthcare?

Teams is more accessible for HIPAA compliance because the BAA is included on broader M365 plans (Business and up). Slack requires the top-tier Enterprise Grid plan for a BAA, making it more expensive for HIPAA.

What Microsoft 365 plan do I need for HIPAA Teams?

Any Microsoft 365 Business or Enterprise plan includes the BAA covering Teams. For advanced DLP and compliance features, E3 or E5 plans are recommended.

Are Teams meeting recordings HIPAA compliant?

Meeting recordings stored in OneDrive/SharePoint are covered under the BAA. Configure retention policies and access controls for recordings containing PHI discussions.

All Tool AssessmentsHIPAA OverviewRequirements GuidesCompliance Glossary

Generate HIPAA policies for your stack

PoliWriter creates all the HIPAA policies you need, customized to tools like Microsoft Teams and your specific configuration. AI-powered, audit-ready, hours not months.

Get Started Free