Healthcare organizations using Microsoft Copilot must ensure compliance with the Health Insurance Portability and Accountability Act HIPAA. A Business Associate Agreement BAA is a required contract between a covered entity and a vendor that handles protected health information PHI. Without a signed BAA, using Copilot with patient data violates HIPAA rules. This article explains what the Microsoft Copilot HIPAA BAA covers, which services it applies to, and how to verify your organization is compliant.
Key Takeaways: Microsoft Copilot HIPAA BAA Coverage
- Microsoft 365 admin center > Billing > Purchase services: Verify your tenant has an Enterprise Agreement or subscription that supports BAA signing.
- Microsoft 365 admin center > Settings > Org settings > Services > Microsoft Copilot: Confirm Copilot data processing is set to your tenant boundary, not shared with Microsoft for model training.
- Microsoft 365 compliance center > Data Lifecycle Management > Data retention labels: Ensure PHI is labeled correctly so Copilot applies appropriate data governance policies.
What the Microsoft Copilot HIPAA BAA Covers
A Business Associate Agreement with Microsoft defines the responsibilities of both parties when Copilot processes PHI. The BAA covers Copilot services that are part of Microsoft 365 or Azure when you have an eligible subscription. The agreement specifies that Microsoft will:
- Use PHI only for purposes permitted by the BAA and HIPAA
- Report any security incident or breach involving PHI to your organization
- Return or destroy PHI when the agreement ends
- Ensure subcontractors who process PHI also comply with HIPAA
- Allow your organization to audit Microsoft’s compliance through third-party reports such as SOC 2 Type II
The BAA does not cover Copilot features that are not part of a HIPAA-eligible service. For example, Copilot in consumer products or Copilot for GitHub are excluded. Only Copilot integrated into Microsoft 365 E3, E5, F5, or Azure services that have signed BAAs are covered.
Which Copilot Services Are Included in the BAA
Microsoft includes Copilot for Microsoft 365 in its HIPAA BAA when your tenant has an eligible license. The following services are covered:
- Copilot in Word, Excel, PowerPoint, Outlook, and Teams
- Copilot in Microsoft 365 apps accessed through the Microsoft 365 web and desktop clients
- Copilot in Azure OpenAI Service when deployed within an Azure HIPAA-eligible environment
- Copilot in Dynamics 365 for healthcare scenarios
Copilot in Bing, Windows Copilot, and Copilot for mobile apps are not covered by the HIPAA BAA. These services do not have a signed BAA available for healthcare customers.
What the BAA Does Not Cover
The BAA does not cover data that Copilot stores outside your tenant boundary. Microsoft stores Copilot prompts and responses within your Microsoft 365 tenant if you configure data residency correctly. If data leaves the tenant boundary through a third-party plugin or an unapproved connector, the BAA protections no longer apply. The BAA also does not cover personal use of Copilot on non-work accounts or devices.
Steps to Sign and Verify the Microsoft Copilot HIPAA BAA
Your organization must have an Enterprise Agreement or a Microsoft Customer Agreement that includes HIPAA-eligible services. Follow these steps to sign the BAA and verify Copilot compliance.
- Check your subscription eligibility
Go to the Microsoft 365 admin center at admin.microsoft.com. Select Billing then Purchase services. Look for subscriptions labeled E3, E5, F5, or Azure for healthcare. Only these subscriptions support a HIPAA BAA. - Sign the HIPAA BAA through the Microsoft 365 admin center
In the admin center, go to Settings then Org settings. Select Services and find Microsoft Copilot. Click the HIPAA BAA link to review and accept the agreement. You must have Global Admin or Billing Admin role to complete this step. - Configure data processing boundary
In the same Copilot settings page, set the data processing option to Your organization only. This prevents Microsoft from using your data to train its AI models. This setting is required for HIPAA compliance. - Apply data retention labels to PHI
Go to the Microsoft 365 compliance center at compliance.microsoft.com. Select Data Lifecycle Management then Data retention labels. Create labels for PHI and publish them to SharePoint, OneDrive, and Exchange. Copilot respects these labels when processing content. - Test Copilot with sample PHI in a sandbox tenant
Create a test tenant with a sample patient record. Run Copilot prompts that reference the PHI. Verify that Copilot returns results and that no data leaves the tenant boundary. Use Microsoft Purview audit logs to confirm no external data transfers occurred. - Review Microsoft’s SOC 2 Type II report
Access the Service Trust Portal at servicetrust.microsoft.com. Search for Copilot and download the SOC 2 Type II report. This report confirms Microsoft’s controls for HIPAA compliance are operating effectively.
Common Compliance Mistakes and How to Avoid Them
Copilot Processes PHI Without a Signed BAA
If your organization uses Copilot without a signed BAA and Copilot processes PHI, you violate HIPAA. The cause is often that the BAA was not signed during initial Microsoft 365 setup. To fix this, sign the BAA immediately through the admin center. Then run a compliance audit to identify any PHI that Copilot may have processed before the BAA was active. Use Microsoft Purview to scan for PHI in SharePoint and OneDrive.
Data Leaves the Tenant Boundary Through Third-Party Plugins
Copilot plugins from third-party vendors can send data outside your tenant. If a plugin sends PHI to an external server, the BAA does not cover that data. To prevent this, disable all third-party plugins in the Copilot settings. Only use Microsoft-approved connectors that have their own HIPAA BAA. Review the list of approved connectors in the Microsoft 365 admin center under Copilot then Plugins.
Employees Use Copilot on Personal Accounts
When employees sign into Copilot with a personal Microsoft account, the BAA does not apply. Personal accounts do not have a HIPAA BAA with Microsoft. To avoid this, enforce Azure AD Conditional Access policies that block personal account sign-ins. Configure the policy to require work accounts only for all Copilot apps.
Microsoft Copilot HIPAA BAA vs Standard Microsoft 365 BAA: Key Differences
| Item | Microsoft Copilot HIPAA BAA | Standard Microsoft 365 BAA |
|---|---|---|
| Scope of services | Covers Copilot in Microsoft 365 and Azure for healthcare | Covers core Microsoft 365 apps like Exchange, SharePoint, Teams |
| Data processing boundary | Requires tenant-only processing for PHI | Allows Microsoft to process data for service improvement unless opted out |
| Subcontractor compliance | Requires all AI model subcontractors to have BAAs | Covers traditional cloud subcontractors like Azure infrastructure |
| Audit rights | Includes AI-specific controls in SOC 2 Type II reports | Includes general SOC 2 Type II reports for cloud services |
| Data retention for AI prompts | Prompts and responses retained per tenant policy, not used for training | Standard data retention policies for email and documents |
The Copilot BAA adds specific protections for AI-generated content that the standard BAA does not cover. The standard BAA does not address how AI models process PHI or how prompts are stored. Healthcare organizations must sign the Copilot-specific BAA in addition to the standard Microsoft 365 BAA.
You can now sign the Microsoft Copilot HIPAA BAA through the admin center and configure tenant boundary processing for PHI. Next, apply data retention labels to all patient records and disable third-party plugins in Copilot settings. For advanced compliance, set up Microsoft Purview alerts that trigger when Copilot accesses PHI outside approved locations.