Is Microsoft Teams HIPAA Compliant? What to Configure (2026)

Microsoft Teams can be HIPAA compliant — but it is not compliant by default. The difference between a covered deployment and a violation comes down to your Microsoft 365 plan, a signed Business Associate Agreement, and a series of admin configurations that most independent practices never complete.

The free version of Teams does not qualify. Microsoft does not offer a BAA for free-tier accounts. If your practice is using Teams Free or a personal Microsoft account for any communication involving patient information, that is an active HIPAA violation regardless of what is discussed.

Here is exactly what Microsoft provides, what you need to configure, and where Teams fits — and does not fit — in your compliance program.

What Microsoft Provides for HIPAA Compliance

Microsoft offers a BAA for Teams as part of qualifying Microsoft 365 subscriptions. The BAA is not specific to Teams alone — it covers the full suite of eligible Microsoft 365 services, including Outlook, SharePoint, OneDrive, Exchange Online, and Microsoft Purview.

Qualifying plans

• Microsoft 365 Business Basic, Standard, and Premium — BAA available
• Microsoft 365 Enterprise E3 and E5 — BAA available, with expanded compliance tooling at E5
• Microsoft 365 for Healthcare (GCC and GCC High) — purpose-built for regulated industries
• Microsoft Teams Free, personal Microsoft accounts — no BAA available, not HIPAA eligible

Built-in security and compliance features

Microsoft 365 includes several features relevant to HIPAA's Security Rule requirements:

• Encryption: AES-256 at rest, TLS 1.2+ in transit for all Teams communications including chat, calls, and file transfers
• Compliance Manager: Includes HIPAA assessment templates that map Microsoft 365 controls to specific HIPAA requirements
• Data Loss Prevention (DLP): Policy engine that can detect and block PHI patterns — Social Security numbers, medical record numbers, ICD codes — in Teams chats, channels, and shared files
• Audit logging and eDiscovery: Unified audit log captures Teams activity including message edits, deletions, file access, and guest interactions
• Sensitivity labels: Classify and protect documents and messages containing PHI with automatic or manual labeling
• Information barriers: Prevent specific groups from communicating within Teams when required by compliance policy
• Microsoft Purview: Centralized compliance management portal for retention, DLP, audit, and information governance
• Conditional access: Enforce device compliance, location restrictions, and sign-in risk policies before granting access

The feature set is substantial. The problem is that almost none of it is active by default.

Settings You Must Configure

Signing the BAA is step one of ten. These configurations are required to satisfy HIPAA's administrative, technical, and physical safeguard requirements when using Teams.

1. Sign the BAA

Navigate to Microsoft 365 Admin Center > Settings > Org settings > Security & Privacy > HIPAA BAA. Accept the agreement. This is a digital signature — no paper exchange required. Without this step, nothing else matters.

2. Enable multi-factor authentication

MFA is required for every user account. Configure this through Azure Active Directory > Security > MFA or via Conditional Access policies. SMS-based MFA is acceptable under HIPAA but authenticator app or FIDO2 key is significantly stronger.

3. Configure Data Loss Prevention policies

In Microsoft Purview > Data Loss Prevention > Policies, create policies targeting Teams chat messages, channel messages, and shared files. Use the built-in sensitive information types for U.S. Social Security numbers, DEA numbers, and health-related identifiers. Set actions to block or notify when PHI patterns are detected.

4. Set up sensitivity labels

In Microsoft Purview > Information Protection, create sensitivity labels for PHI classification. Apply labels to Teams channels, SharePoint sites, and individual documents. Configure encryption and access restrictions for labeled content.

5. Restrict guest access

In Teams Admin Center > Org-wide settings > Guest access, limit what external guests can access. Disable guest access entirely if your practice has no clinical need for external collaboration. If guest access is required, restrict it to specific teams and disable file sharing for guest accounts.

6. Disable unvetted third-party apps

In Teams Admin Center > Teams apps > Permission policies, block all third-party apps by default. Only allow apps from vendors who have signed a BAA with your practice. Every Teams integration that can access chat content, files, or user data is a potential business associate.

7. Configure retention policies

In Microsoft Purview > Data lifecycle management > Retention policies, set retention and deletion schedules for Teams chat messages, channel messages, and files. HIPAA requires you to retain records for six years from the date of creation or the date the policy was last in effect — whichever is later.

8. Enable audit logging

In Microsoft Purview > Audit, verify that unified audit logging is active. It should be enabled by default for E5 plans, but confirm it. Configure audit log retention — the default is 90 days, which is insufficient for HIPAA. E5 plans support one-year retention; configure it.

9. Set conditional access policies

In Azure Active Directory > Security > Conditional Access, create policies that require device compliance (managed devices only), block access from untrusted locations, and enforce session controls. This prevents staff from accessing Teams PHI on personal, unmanaged devices.

What Teams Does Not Do

Microsoft Teams is a communication and collaboration tool. It is not a compliance program. Understanding the boundary matters because conflating the two is one of the most common mistakes independent practices make.

Teams does not:

• Perform your risk assessment. HIPAA's Security Rule (§164.308(a)(1)) requires a documented, organization-wide risk analysis. Teams does not assess your practice's risks. It is one of many systems included in that assessment.
• Train your workforce. HIPAA requires documented security awareness training for all workforce members (§164.308(a)(5)). Teams provides no training content and does not track completion.
• Track BAAs for non-Microsoft vendors. Your EHR, billing platform, answering service, cloud backup, and every other vendor that handles PHI each require separate BAAs. Teams does not manage those relationships.
• Monitor your overall compliance status. Compliance Manager maps Microsoft 365 controls to HIPAA requirements. It does not evaluate your practice-wide compliance posture, your physical safeguards, or your administrative policies outside of Microsoft's ecosystem.
• Make free-tier accounts compliant. There is no configuration, policy, or workaround that makes Teams Free HIPAA eligible. The BAA is the threshold, and it is not available on free plans.

Common Mistakes Practices Make With Teams

These are the failures we see repeatedly in practices that believe they are covered because they use Microsoft 365.

Using free Teams or personal Microsoft accounts for practice communication. This is the most common and most consequential mistake. If any staff member discusses patient information on a non-BAA-covered account, the practice has an active violation — regardless of whether the paid subscription also exists.

Signing the BAA but skipping configuration. The BAA establishes Microsoft as your business associate. It does not configure your environment. Without DLP policies, retention schedules, audit logging, and access controls, the BAA is a legal agreement over an unsecured system.

Allowing unmanaged personal devices. Staff accessing Teams on personal phones or home computers without conditional access policies means PHI is stored on devices your practice does not control, cannot encrypt, and cannot remotely wipe.

Not restricting guest access or external sharing. Default Teams settings allow external users to join meetings, access shared files, and participate in channels. In a clinical context, this creates uncontrolled PHI exposure paths.

Using third-party Teams integrations without verifying HIPAA status. Every app installed in Teams that can access message content or files is a potential business associate. If that vendor has not signed a BAA with your practice, the integration is a compliance gap.

Staff sharing PHI in general channels instead of private channels. General channels are visible to every team member by default. PHI discussions should occur only in private channels with membership restricted to authorized personnel.

Where Teams Fits in Your Compliance Program

Microsoft Teams is your communication and collaboration layer. It handles chat, video calls, file sharing, and team coordination. With the right plan and configuration, it handles those functions in a HIPAA-compliant manner.

It is not your compliance program. A compliant Teams deployment still leaves you without:

• A documented, current risk assessment
• Written HIPAA policies and procedures
• Workforce training with completion tracking
• Vendor management and BAA tracking across all business associates
• Incident response and breach notification procedures
• Physical safeguard documentation
• Ongoing compliance monitoring and evidence collection

These are separate obligations under the HIPAA Security, Privacy, and Breach Notification Rules. Teams satisfies none of them.

Patient Protect covers the full compliance surface — risk assessment, policy generation, workforce training, BAA management, breach intelligence monitoring, and ongoing compliance posture tracking — starting at $39/month. Your Microsoft 365 environment is one of the vendors we help you manage. It is not a replacement for the program itself.

Frequently Asked Questions

Is Microsoft Teams Free HIPAA compliant?

No. Microsoft does not offer a Business Associate Agreement for the free tier of Teams. Without a BAA, Teams Free cannot be used for any communication involving protected health information, regardless of what settings you configure.

Does Microsoft sign a BAA for Teams?

Yes. Microsoft offers a BAA through the Microsoft 365 Admin Center for qualifying paid subscriptions — Business Basic and above, and Enterprise E3/E5. The BAA covers Teams along with other Microsoft 365 services including Outlook, SharePoint, and OneDrive.

Can I use Teams for telehealth appointments?

Yes, provided you have a qualifying Microsoft 365 plan with a signed BAA and the admin configurations described above. Teams supports HIPAA-compliant video calls, including screen sharing and file transfer during sessions. For practices that need a dedicated telehealth workflow, Microsoft also offers the Teams EHR Connector for integration with Epic and Cerner.

Which Microsoft 365 plan is HIPAA compliant?

Microsoft 365 Business Basic, Business Standard, Business Premium, Enterprise E3, and Enterprise E5 all qualify for a BAA. The E5 plan includes the most advanced compliance features — extended audit log retention, advanced DLP, and auto-classification with sensitivity labels. For most independent practices, Business Premium or E3 provides sufficient coverage.

Is Teams chat encrypted?

Yes. Teams encrypts chat messages, calls, and file transfers using TLS 1.2+ in transit and AES-256 at rest. End-to-end encryption (E2EE) is available for one-on-one calls but is not enabled by default and currently does not support group calls, recording, or transcription. Standard Microsoft-managed encryption satisfies HIPAA's transmission security requirement (§164.312(e)(1)).