Your Microsoft BAA Doesn't Make You HIPAA Compliant
Microsoft's Business Associate Agreement makes Microsoft 365 capable of HIPAA compliance — it does not make your organization compliant. The BAA covers Microsoft's obligations for their infrastructure; the Security Rule's technical safeguards (access controls, audit logging, encryption enforcement, transmission security) are configurations you must implement in your tenant. A default-configured Microsoft 365 tenant with a signed BAA fails a HIPAA audit on multiple controls.
- The BAA covers Microsoft's side; tenant configuration is entirely your responsibility
- Required and unconfigured by default: unified audit logging, DLP for PHI, retention policies, access reviews
- MFA and Conditional Access map directly to the access control safeguard — enforce, don't just enable
- Email PHI requires configured encryption (Purview Message Encryption), not assumed TLS
- Auditors ask for evidence: policies, logs, and reviews — screenshots of settings aren't a compliance program
The full article maps each Security Rule technical safeguard to its specific Microsoft 365 configuration, lists what OCR auditors and cyber insurers actually request, and covers the Business Premium features that satisfy most requirements without E5 spend.
Prefer answers about your environment specifically?
Reading is good. A 30-minute session with an engineer who can see your actual tenant is better.
Schedule a Microsoft 365 Strategy Session