Microsoft Teams can meet HIPAA requirements with the right plan and configuration — but compliance is your organization's responsibility.
Get started for freeYes, with conditions. Microsoft lists Teams as an in-scope service for HIPAA and includes a BAA by default through the Online Services Data Protection Addendum. But using Teams does not automatically make an organization HIPAA compliant — Microsoft states that the organization is responsible for configuring Teams and maintaining its own compliance program.
The HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA.
Source: Microsoft HIPAA and HITECH compliance offeringHIPAA-compliant Teams use requires a Microsoft 365 plan with enterprise security and compliance tools, such as Microsoft 365 E3, E5, or Business Premium.
Source: Microsoft HIPAA and HITECH compliance offeringMicrosoft states that using its services does not on its own achieve HIPAA compliance. The HIPAA Security Rule places the burden on the covered entity to configure DLP policies, retention settings, audit logging, and access controls.
Source: HHS HIPAA Security RuleAudit (Standard), audit log search, and eDiscovery (Standard) are included with standard M365 licensing. Advanced audit and eDiscovery (Premium) require additional licensing.
Source: Microsoft Teams security and complianceMicrosoft's HIPAA compliance page states: "By offering a Business Associate Agreement, Microsoft helps support your HIPAA compliance. However, using Microsoft services doesn't on its own achieve HIPAA compliance. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place."Source: Microsoft HIPAA and HITECH compliance offering
Required plan: Microsoft 365 E3, E5, or Business Premium
Requires IT staff who can configure and maintain Microsoft 365 security and compliance settings. Not a one-time setup — policies need ongoing review as Microsoft updates Teams features and defaults.
Purpose-built HIPAA messaging that ships compliant out of the box. Signed BAA included at signup on every plan, including the free plan. No M365 environment required.
Enterprise clinical messaging for hospitals and health systems with role-based routing, EHR integrations, and care team assignments.
HIPAA-compliant communication platform for medical practices with secure messaging, phone, fax, and telehealth in one system.
For a detailed comparison, see BloomText vs Microsoft Teams.
Yes, conditionally. Microsoft lists Teams as an in-scope HIPAA service and includes a BAA by default. But the organization must configure DLP, retention, audit, and access controls to meet HIPAA requirements.
Yes. The HIPAA Business Associate Agreement is included through the Microsoft Online Services Data Protection Addendum by default for all eligible customers. No separate signing step is required.
Microsoft 365 E3, E5, or Business Premium include the enterprise security and compliance features needed for HIPAA-governed Teams use. Lower-tier plans may not include the required compliance tools.
Technically yes, but configuring and maintaining M365 compliance settings requires IT expertise. Smaller practices without dedicated IT staff may find the overhead disproportionate to the messaging need.
Last verified May 26, 2026.
