2 min read

Is Microsoft Defender HIPAA compliant? (2026 update)

Picture of Mara Ellis Mara Ellis October 15, 2025

HIPAA compliance
Microsoft Defender logo

Microsoft Defender is Microsoft’s security product family for threat prevention, detection, and response across email, identities, endpoints, cloud apps, workloads, and other environments. Microsoft presents Defender as a suite rather than a single product.

Is Microsoft Defender HIPAA compliant? Based on Microsoft’s current compliance documentation, Microsoft Defender can be HIPAA compliant.

 

What changed this year?

We did not identify any publicly disclosed change to Microsoft’s core HIPAA position for Defender-related services. Microsoft still says its HIPAA BAA is available through the Microsoft Online Services Data Protection Addendum for covered entities and business associates, and Microsoft’s current published DPA materials continue to reference the HIPAA BAA within its licensing framework.

 

Will Microsoft sign a business associate agreement?

Yes. Microsoft says it offers covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services. Microsoft also says the HIPAA BAA is available through the Microsoft Online Services Data Protection Addendum by default, and its Azure HIPAA documentation explains that there is no separate contract to sign because the BAA is incorporated through the Product Terms and DPA.

 

What does the Microsoft BAA cover?

Microsoft says its BAA covers in-scope Microsoft services and establishes the permitted and required uses and disclosures of PHI by Microsoft as a business associate. Microsoft also says the BAA includes contractual assurances around data safeguarding, reporting including breach notifications, and data access in accordance with HIPAA and the HITECH Act.

For Defender-related services, Microsoft’s HIPAA page expressly names these as in-scope:

  • Microsoft Defender for Office 365
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender Experts for Hunting
  • Microsoft Defender Experts for XDR

Microsoft’s broader cloud compliance documentation also shows that several other Defender-branded services appear in Microsoft audit scope materials, including Microsoft 365 Defender, Microsoft Defender for Cloud, Microsoft Defender for Endpoint, and Microsoft Defender for Identity. That is helpful for due diligence, but the safest compliance approach is still to confirm your exact Defender service in Microsoft’s Service Trust Portal and Product Terms before relying on it for PHI workflows.

 

What does the Microsoft BAA exclude?

Microsoft does not say that every Defender-branded tool is universally HIPAA compliant in every use case. Instead, Microsoft limits BAA coverage to in-scope services and says that using Microsoft services does not, on its own, achieve HIPAA compliance. That means the customer still carries responsibility for access controls, logging, retention, incident response, workforce training, and the way PHI is actually used inside the environment.

That limitation matters here because Microsoft Defender is a product family with enterprise, business, and even consumer offerings. Microsoft’s consumer Defender app is not the same thing as Microsoft’s enterprise cloud services, and HIPAA analysis should focus only on the covered business services that fall under Microsoft’s BAA.

 

Conclusion

Microsoft Defender may be HIPAA compliant, but the answer is product-specific. If you refer to Defender services that Microsoft lists as in scope under its HIPAA BAA, such as Defender for Office 365, Defender for Cloud Apps, or certain Defender Experts services, then Microsoft can support HIPAA compliance. Microsoft Defender as a whole is HIPAA compliant for specific in-scope services and only when your organization also configures and uses them in a HIPAA-compliant way.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is a business associate agreement?

A business associate agreement is a contract between a HIPAA covered entity and a business associate that sets the permitted and required uses and disclosures of PHI and helps ensure PHI is properly protected.

What is HIPAA?

HIPAA is a U.S. healthcare privacy and security law that sets requirements for the use, disclosure, and safeguarding of individually identifiable health information.

Who does HIPAA apply to?

HIPAA applies to covered entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as business associates that create, receive, maintain, transmit, or access PHI on their behalf.
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Presenter discussing the HITRUST Approach framework at a conference

HITRUST community extension program (CEP) in Tampa

Picture of Hoala Greevy Hoala Greevy : July 10, 2019

Mike Parisi (HITRUST) We flew in from San Francisco for a HITRUST Community Extension Program today in Tampa, Florida. It was sponsored by 360...

HIPAA compliance
Read More
iPhone home screen displaying various social media and communication apps

1 min read

Social media & HIPAA compliance: The ultimate guide

Amanda Larson : July 10, 2020

As more people flock to the internet to share their lives, social media sites are growing in popularity and in users. Naturally, many businesses,...

HIPAA compliance
Read More
Judge's gavel on a wooden block

HHS issues guidance on HIPAA and ERPOs

Sara Nguyen : January 15, 2022

The Department of Health and Human Services (HHS) through its Office of Civil Rights (OCR) released new guidance regarding how HIPAA compliant...

HIPAA compliance
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.