Is Microsoft Defender HIPAA compliant? (2026 update)

Microsoft Defender is Microsoft’s security product family for threat prevention, detection, and response across email, identities, endpoints, cloud apps, workloads, and other environments. Microsoft presents Defender as a suite rather than a single product.

Is Microsoft Defender HIPAA compliant? Based on Microsoft’s current compliance documentation, Microsoft Defender can be HIPAA compliant.

What changed this year?

We did not identify any publicly disclosed change to Microsoft’s core HIPAA position for Defender-related services. Microsoft still says its HIPAA BAA is available through the Microsoft Online Services Data Protection Addendum for covered entities and business associates, and Microsoft’s current published DPA materials continue to reference the HIPAA BAA within its licensing framework.

Will Microsoft sign a business associate agreement?

Yes. Microsoft says it offers covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services. Microsoft also says the HIPAA BAA is available through the Microsoft Online Services Data Protection Addendum by default, and its Azure HIPAA documentation explains that there is no separate contract to sign because the BAA is incorporated through the Product Terms and DPA.

What does the Microsoft BAA cover?

Microsoft says its BAA covers in-scope Microsoft services and establishes the permitted and required uses and disclosures of PHI by Microsoft as a business associate. Microsoft also says the BAA includes contractual assurances around data safeguarding, reporting including breach notifications, and data access in accordance with HIPAA and the HITECH Act.

For Defender-related services, Microsoft’s HIPAA page expressly names these as in-scope:

• Microsoft Defender for Office 365
• Microsoft Defender for Cloud Apps
• Microsoft Defender Experts for Hunting
• Microsoft Defender Experts for XDR

Microsoft’s broader cloud compliance documentation also shows that several other Defender-branded services appear in Microsoft audit scope materials, including Microsoft 365 Defender, Microsoft Defender for Cloud, Microsoft Defender for Endpoint, and Microsoft Defender for Identity. That is helpful for due diligence, but the safest compliance approach is still to confirm your exact Defender service in Microsoft’s Service Trust Portal and Product Terms before relying on it for PHI workflows.

What does the Microsoft BAA exclude?

Microsoft does not say that every Defender-branded tool is universally HIPAA compliant in every use case. Instead, Microsoft limits BAA coverage to in-scope services and says that using Microsoft services does not, on its own, achieve HIPAA compliance. That means the customer still carries responsibility for access controls, logging, retention, incident response, workforce training, and the way PHI is actually used inside the environment.

That limitation matters here because Microsoft Defender is a product family with enterprise, business, and even consumer offerings. Microsoft’s consumer Defender app is not the same thing as Microsoft’s enterprise cloud services, and HIPAA analysis should focus only on the covered business services that fall under Microsoft’s BAA.

Conclusion

Microsoft Defender may be HIPAA compliant, but the answer is product-specific. If you refer to Defender services that Microsoft lists as in scope under its HIPAA BAA, such as Defender for Office 365, Defender for Cloud Apps, or certain Defender Experts services, then Microsoft can support HIPAA compliance. Microsoft Defender as a whole is HIPAA compliant for specific in-scope services and only when your organization also configures and uses them in a HIPAA-compliant way.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is a business associate agreement?

A business associate agreement is a contract between a HIPAA covered entity and a business associate that sets the permitted and required uses and disclosures of PHI and helps ensure PHI is properly protected.

What is HIPAA?

HIPAA is a U.S. healthcare privacy and security law that sets requirements for the use, disclosure, and safeguarding of individually identifiable health information.

Who does HIPAA apply to?

HIPAA applies to covered entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as business associates that create, receive, maintain, transmit, or access PHI on their behalf.