According to Microsoft, “Microsoft 365 Commercial products and cloud services revenue increased $10.8 billion or 14%” in the 2025 fiscal year, compared to the 2024 fiscal year. This demonstrates the widespread use of Microsoft 365 products. As adoption continues to grow across industries, including healthcare, organizations must ensure that their use of Microsoft 365, particularly email, meets HIPAA compliance requirements when handling protected health information (PHI).
While Microsoft 365 can support HIPAA compliance, it is important to note that it is not HIPAA compliant by default. Healthcare organizations must take deliberate steps to configure Exchange Online and Outlook correctly, implement safeguards, and establish clear policies.
Microsoft’s HIPAA Compliance: Microsoft Office 365 and Microsoft Teams white paper (commissioned by Microsoft and authored by HIPAA One) stresses that HIPAA compliance is a shared responsibility between the cloud service provider and the customer. Microsoft builds its cloud infrastructure to support compliance with regulatory standards such as HIPAA, offering security features that organizations can leverage. However, you must configure and manage these features correctly to meet HIPAA requirements.
Key aspects of HIPAA, such as confidentiality, integrity, and availability of PHI, map directly to technical safeguards you can implement in Microsoft 365. These controls include secure architecture, access control, audit logging, encryption, and proper administrative policies.
The most fundamental requirement for HIPAA compliance when using third-party services like Microsoft 365 is having a business associate agreement (BAA). Under HIPAA, a business associate is any service provider that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Microsoft offers a HIPAA BAA to qualified customers, including healthcare organizations and business associates, through its Microsoft Online Services Data Protection Addendum (DPA).
Without a signed BAA, you cannot rely on Microsoft 365 email as part of a HIPAA compliant system, regardless of how you configure the platform.
Microsoft 365 includes a suite of information protection and compliance tools you can use to safeguard PHI:
Controlling who can access email and PHI is essential. Configuring strong access controls includes:
These measures help ensure that only authorized users can view or send emails containing sensitive health information.
HIPAA requires that “A regulated entity must implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.” Microsoft 365’s unified audit logging captures user and administrative activities across services like Exchange Online, helping you track access, forwarding rules, and potential security incidents.
Configuring alerts for unusual login patterns or mass data exports helps you detect and respond to risks early.
Technical controls alone are not sufficient. HIPAA also requires administrative safeguards, including documented policies, procedures, and workforce training. Your organization should:
These administrative actions help reinforce secure behavior and support audit readiness.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
No. HIPAA compliance is a shared responsibility. Microsoft is responsible for securing its cloud infrastructure, while your organization is responsible for configuring the platform correctly, managing users, training staff, and enforcing policies.
Microsoft 365 can support HIPAA compliant email when properly configured, but it requires active management. Some organizations choose to supplement Microsoft 365 with dedicated HIPAA-focused email solutions like Paubox for simplified encryption and reduced administrative burden.