Is Microsoft Teams HIPAA Compliant by Default?
No, Teams is NOT HIPAA Compliant by Default
No software is automatically HIPAA compliant. How you configure and use Microsoft Teams determines compliance. Using Teams without proper setup can result in HIPAA violations with fines up to $2 million per violation.
Microsoft Teams is classified as Tier D-compliant, meaning it supports:
- HIPAA (Health Insurance Portability and Accountability Act)
- HITECH (Health Information Technology for Economic and Clinical Health Act)
- ISO 27001 and ISO 27018 certifications
- SOC 1 and SOC 2 compliance
- EU Model Clauses (EUMC)
However, compliance only matters if you're processing electronic protected health information (ePHI). If your organization uses Teams only for internal training or scheduling without sharing patient data, HIPAA compliance isn't required for those activities.
Microsoft 365 Plans That Support HIPAA Compliance
Only certain Microsoft 365 plans include the security features and Business Associate Agreement (BAA) coverage required for HIPAA compliance. Here are your options:
| Plan | Price | HIPAA Features | Recommended |
|---|---|---|---|
| Microsoft 365 Business Basic | $6/user/mo | BAA included, but lacks DLP, sensitivity labels, extended audit logs | Limited |
| Microsoft 365 Business Premium | $22/user/mo | BAA, DLP, sensitivity labels, advanced threat protection, Intune | Best Value |
| Microsoft 365 E3 | $36/user/mo | All compliance features, eDiscovery, advanced audit, unlimited archive | Enterprise |
| Microsoft 365 E5 | $57/user/mo | All E3 features + advanced compliance, insider risk management | Large Orgs |
| Microsoft Cloud for Healthcare | Custom pricing | Full healthcare suite with EHR integration, virtual health templates | Healthcare-Specific |
Plans That Are NOT HIPAA Compliant
- Microsoft Teams Free - No BAA, no security features
- Personal/Family Microsoft 365 - Consumer plans without BAA
- Microsoft 365 Apps for Business - Office apps only, no Teams compliance
Business Associate Agreement (BAA) Requirements
Under HIPAA, a Business Associate Agreement (BAA) is a legal contract between a covered entity (your healthcare organization) and a vendor (Microsoft) that ensures PHI is properly protected.
How Microsoft's BAA Works
- BAA is automatically included in the Online Services Data Protection Addendum
- You accept the BAA when subscribing to a qualifying Microsoft 365 plan
- Microsoft does NOT negotiate individual or custom BAAs
- The BAA covers all HIPAA-eligible Microsoft 365 services, including Teams
Important BAA Requirement
Multi-Factor Authentication (MFA) must be enabled for all users accessing PHI. Without MFA enabled, you are NOT covered by Microsoft's BAA, even if you have a qualifying plan.
HIPAA Security Configuration Checklist
Having the right plan isn't enough. You must configure Teams properly to achieve HIPAA compliance:
Enable Multi-Factor Authentication (MFA)
CriticalRequired for BAA coverage. Use Microsoft Authenticator or hardware tokens.
Configure Data Loss Prevention (DLP) Policies
CriticalCreate policies to detect and prevent unauthorized sharing of PHI, SSNs, medical record numbers.
Enable Sensitivity Labels
HighLabel documents and messages containing PHI to enforce protection policies automatically.
Configure Retention Policies
CriticalSet up retention for at least 6 years (HIPAA requirement) for all Teams messages and files.
Disable Recording or Secure Storage
HighEither disable meeting recording or ensure recordings are stored securely with access controls.
Enable Audit Logging
CriticalTurn on unified audit logs to track access to PHI and detect potential breaches.
Configure External Access
HighLimit or disable external sharing and guest access for channels containing PHI.
Implement Device Management (Intune)
MediumUse Intune to manage devices accessing Teams, enabling remote wipe and encryption requirements.
Set Up Conditional Access Policies
MediumRequire compliant devices, specific locations, or additional verification for accessing PHI.
Train All Staff
CriticalDocument HIPAA policies and train all users on proper Teams usage for PHI.
Using Teams for Telehealth & Virtual Visits
Microsoft Teams can be used for HIPAA-compliant telehealth appointments, including mental health sessions, when properly configured. However, there are some important considerations:
What Teams Does Well
- Video calls with end-to-end encryption
- Screen sharing for reviewing documents
- Calendar integration for scheduling
- Chat/messaging for follow-ups
- Integration with some EHR systems
- Virtual waiting room features
Telehealth Limitations
- Not purpose-built for telehealth
- Physicians can't share files with guest users
- No built-in patient intake forms
- No integrated payment processing
- Limited waiting room customization
- Requires patient to have Microsoft account or app
Microsoft Cloud for Healthcare
For healthcare-specific needs, consider Microsoft Cloud for Healthcare. It includes virtual health templates, EHR integration (Epic, Cerner), patient engagement tools, and care coordination features built on top of Teams.
Limitations & Compliance Gaps
While Teams can achieve HIPAA compliance, there are limitations to be aware of:
Your Responsibility, Not Microsoft's
"It is the customer's responsibility to use Teams in a manner that complies with HIPAA regulations." Microsoft provides the tools, but you must configure and use them correctly.
Physical Security Not Included
HIPAA requires physical safeguards for devices storing ePHI. This includes locked offices, screen privacy filters, and secure disposal of devices - none of which Teams provides.
Business Basic Plan Gaps
While covered by the BAA, Business Basic lacks Data Loss Prevention (DLP), sensitivity labels, and extended audit log retention. You may need third-party tools or an upgrade.
Guest User Limitations
Sharing files directly with patients (guest users) from physician accounts is restricted, making it difficult to share test results or imaging during telehealth visits.
HIPAA-Compliant Alternatives to Teams
If Microsoft Teams doesn't meet your needs, here are other HIPAA-compliant options:
| Platform | Best For | Pricing |
|---|---|---|
| Zoom for Healthcare | Telehealth-focused video visits | From $200/mo |
| Doxy.me | Simple telehealth, free tier available | Free - $35/mo |
| Google Workspace (Healthcare) | Organizations preferring Google ecosystem | From $12/user/mo |
| SimplePractice | Mental health practices with scheduling | $29-$99/mo |
| Spruce Health | Secure messaging and calls | From $24/mo |
Frequently Asked Questions
Is Microsoft Teams HIPAA compliant by default?
No, Microsoft Teams is not HIPAA compliant by default. Organizations must sign a Business Associate Agreement (BAA) with Microsoft, subscribe to an eligible plan (M365 Business Premium, E3, or E5), enable multi-factor authentication, and configure proper security settings to achieve HIPAA compliance.
Which Microsoft 365 plans are HIPAA compliant?
Microsoft 365 plans that support HIPAA compliance include: Microsoft 365 Business Premium ($22/user/month), Microsoft 365 E3 ($36/user/month), Microsoft 365 E5 ($57/user/month), Office 365 E3 and E5, Microsoft 365 F3 and F5, and Microsoft Cloud for Healthcare.
How do I get a HIPAA BAA from Microsoft?
Microsoft automatically includes the HIPAA Business Associate Agreement (BAA) in the Online Services Data Protection Addendum for all qualifying business plans. You accept the BAA when subscribing to an eligible Microsoft 365 plan. Microsoft does not offer customized BAAs.
Can I use Teams for telehealth appointments?
Yes, Microsoft Teams can be used for HIPAA-compliant telehealth appointments when properly configured. However, Teams is not specifically designed for telehealth and has limitations like the inability for physician accounts to share files with guest users, which can complicate sharing test results with patients.
Is the free version of Teams HIPAA compliant?
No, the free version of Microsoft Teams is NOT HIPAA compliant and should never be used for handling protected health information (PHI). Only paid Microsoft 365 business and enterprise plans include the security features and BAA coverage required for HIPAA compliance.
What happens if I use Teams without HIPAA compliance?
Using Teams to handle PHI without proper HIPAA compliance can result in significant penalties. HIPAA fines range from $100 to $50,000 per violation, with annual maximums up to $2 million. Willful neglect can result in criminal penalties.
Do I need MFA enabled for HIPAA compliance?
Yes, Multi-Factor Authentication (MFA) is required for HIPAA compliance with Microsoft Teams. Without MFA enabled, you are not covered by Microsoft's Business Associate Agreement, even with a qualifying plan.
Summary: Making Teams HIPAA Compliant
Required Steps:
- 1. Subscribe to Business Premium, E3, or E5
- 2. Accept Microsoft's BAA (automatic)
- 3. Enable MFA for all users
- 4. Configure DLP policies
- 5. Set up retention policies
Best Practice:
For most healthcare organizations, Microsoft 365 Business Premium at $22/user/month offers the best balance of features and cost. Larger organizations or those needing advanced compliance should consider E3 or E5.