Microsoft launches Copilot Health preview to U.S. users

Microsoft moved Copilot Health into preview on May 29, 2026, opening access to Copilot users in the U.S. who are 18 or older and have a Microsoft 365 Personal, Family, or Premium subscription.

What happened

The tool creates a dedicated health space inside Copilot where users can add a health profile, connect Apple Health data, link health records from more than 50,000 U.S. provider organizations, ask health-related questions, review lab results, and search for healthcare providers. The company stresses Copilot Health is in preview, may change over time, and is not a substitute for professional medical advice.

In the know

The company says the data is encrypted at rest and in transit, health conversations are not used to train AI, and users can manage, delete, or disconnect health data sources at any time. The approach closely resembles OpenAI’s ChatGPT Health release, which also creates a separate health space for medical records, wellness apps, files, memories, and health conversations, with those conversations excluded from foundation model training.

The main difference is positioning. Microsoft frames Copilot Health as a preview for U.S. Microsoft 365 Personal, Family, and Premium subscribers aged 18 and older, with care navigation, provider search, connected health records, and Apple Health integration built into Copilot. OpenAI frames ChatGPT Health as a dedicated consumer health experience inside ChatGPT, with connected records and wellness apps used to ground responses in personal context.

What was said

According to Microsoft, “This preview marks the next step in our deliberate, phased rollout, expanding access, and adding new features over time. We’re eager to hear your feedback and ideas as we prepare to bring even more features to Copilot Health in the months ahead.”

Going deeper

Over the past year, Microsoft 365 Copilot faced EchoLeak, tracked as CVE-2025-32711, where a crafted email could trigger AI command injection and potentially expose information over a network; researchers later described the access path as remote, unauthenticated data exfiltration through a single email, using Copilot’s connection to internal Microsoft 365 context as the leverage point.

In January 2026, Reprompt, a Copilot attack path where one malicious link could pass instructions through a URL parameter, bypass safeguards, and attempt to pull personal data from a user’s Copilot session. Microsoft also reported Storm-2949 activity in May 2026, where social engineering led to Microsoft Entra ID credential compromise, followed by data exfiltration from Microsoft 365 applications. Taken together, the pattern is clear: attackers look for trusted access points such as email, identity credentials, links, connected apps, and enterprise data stores, then turn those access points into data movement paths.

Copilot Health appears designed with those risks in mind. Microsoft says the product will run in a dedicated health space, keep health conversations separate from the rest of Copilot, encrypt data at rest and in transit, avoid using health conversations to train AI, and let users manage, delete, or disconnect health data sources.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

Is there one federal AI law for healthcare in the U.S.?

No. The U.S. does not have one single federal healthcare AI law. Instead, healthcare AI sits under several existing legal frameworks.

Does HIPAA regulate AI accuracy or medical safety?

No. HIPAA mainly regulates privacy, security, breach notification, and patient rights.

What is ONC’s role in healthcare AI?

ONC regulates certified health IT, including transparency requirements for predictive decision support interventions in certified health IT systems.