Is Microsoft Teams HIPAA compliant? Yes, but only on eligible paid Microsoft 365 plans with proper configuration. The free version of Teams does not qualify. Microsoft includes HIPAA coverage automatically in its Data Protection Addendum for commercial plans - there is no separate BAA signing step.
Teams is the default communication platform for many healthcare offices. Staff use it for internal messaging, video calls, file sharing, and scheduling. If your practice runs on Microsoft 365, you are likely already using Teams. The question is whether your setup meets HIPAA requirements.
Which Microsoft 365 Plans Support HIPAA Compliance?
Microsoft includes HIPAA compliance coverage in its Data Protection Addendum (DPA) for the following plans:
- Microsoft 365 Business Basic, Standard, and Premium
- Office 365 E1, E3, and E5
- Microsoft 365 E3, E5, F3, and F5
- Microsoft Cloud for Healthcare (most comprehensive)
The DPA functions as Microsoft's BAA. Unlike most vendors, there is no separate form to sign or request. When you subscribe to an eligible plan, the HIPAA terms are automatically part of your agreement.
The free version of Teams does not qualify. Microsoft does not extend HIPAA coverage to free-tier or personal Microsoft accounts. If your practice uses Teams Free or personal Outlook accounts for anything involving patient information, that is an active compliance gap.
What the Microsoft BAA Covers
Microsoft's HIPAA coverage extends across its cloud services, not just Teams. Covered services include:
- Microsoft Teams (chat, calls, video meetings, file sharing)
- Exchange Online / Outlook (email)
- SharePoint Online and OneDrive (file storage)
- Azure (cloud infrastructure)
- Microsoft 365 Apps (Word, Excel, PowerPoint)
This means your practice can use the full Microsoft 365 suite for PHI-related work under a single Business Associate Agreement - email, file storage, video calls, and internal messaging all covered.
Required Configuration for HIPAA Compliance
Having the right plan does not automatically make your Teams environment compliant. Your Microsoft 365 admin must configure:
- Multi-factor authentication (MFA) for all accounts - required under HIPAA's access control provisions
- Data Loss Prevention (DLP) policies to detect and block PHI from being shared in unauthorized channels
- Retention policies for Teams messages and files to meet HIPAA documentation requirements
- Guest access restrictions to prevent external users from accessing PHI
- Conditional access policies to control which devices can access your Teams environment
- Audit logging enabled in the Microsoft 365 compliance center
These settings map to the technical safeguards required under 45 CFR §164.312, including access controls (§164.312(a)), audit controls (§164.312(b)), and transmission security (§164.312(e)).
Common Mistakes with Teams and HIPAA
Using Teams Free or personal accounts. The biggest mistake. No BAA coverage means every chat or call involving PHI is a potential violation.
Allowing unmanaged guest access. Teams makes it easy to invite external users to channels. If a guest can see messages or files containing PHI without proper authorization, that is an unauthorized disclosure.
No message retention policy. Teams chat messages can be deleted by users by default. HIPAA requires that records be retained per your organization's policies. Set retention rules in the compliance center.
Skipping MFA. Without multi-factor authentication, a compromised password gives an attacker full access to chat history, shared files, and meeting recordings - all of which may contain PHI.
Not including Teams in the risk assessment. If Teams is part of your clinical or administrative workflow, it must be documented in your HIPAA risk assessment as a system that handles ePHI.
Teams vs. Zoom for Healthcare
Both platforms can be HIPAA compliant with the right plan and configuration. The main difference: Microsoft includes its BAA automatically in the DPA, while Zoom requires you to request a BAA separately. If your practice already uses Microsoft 365, Teams is the simpler path because the BAA is already in place.
For practices evaluating telehealth platforms, see our full guide on HIPAA and telehealth compliance.
Does Microsoft Teams encrypt messages and calls?
Yes. Teams uses TLS encryption for data in transit and BitLocker or service-level encryption for data at rest. End-to-end encryption is available for one-on-one calls. This meets the HIPAA encryption requirements under §164.312(a)(2)(iv) and §164.312(e)(2)(ii).
Can I use Teams for telehealth patient visits?
Yes, if your organization has an eligible Microsoft 365 plan with the DPA in effect. Configure waiting rooms, meeting passwords, and lobby controls to prevent unauthorized attendees. Microsoft Cloud for Healthcare offers additional clinical workflow integrations built specifically for patient-facing use.
Is Teams chat safe for discussing patient information?
Teams chat is covered under the Microsoft BAA for eligible plans, so staff can discuss patient information internally. However, you must restrict external and guest access, enable message retention policies, and train staff not to share PHI in channels that include unauthorized users. Keep PHI out of channel names and meeting titles.
Do I need a separate BAA for Microsoft Teams?
No. Microsoft's HIPAA BAA is included in the Data Protection Addendum that comes with every eligible commercial Microsoft 365 plan. There is no separate document to sign. Verify your plan is eligible and confirm the DPA is active in your Microsoft 365 Admin center.