HIPAA Compliant Microsoft 365: The Complete Configuration Guide for 2026

HIPAA-Compliant Microsoft 365: The 2026 Healthcare Deployment Guide

HIPAA compliance for Microsoft 365 in 2026 is well-established but consistently misunderstood. Microsoft signs Business Associate Agreements (BAAs) covering most M365 services, but BAA coverage alone does not deliver HIPAA compliance. Compliance comes from the configuration of the tenant — sensitivity labels, audit retention, access policies, encryption posture, and incident response readiness — that you build on top of the BAA.

This guide walks through the full HIPAA-compliant Microsoft 365 deployment architecture as we deliver it for healthcare clients in 2026. EPC Group has delivered HIPAA-compliant M365 deployments for hospital systems, payer organizations, post-acute care providers, and digital health platforms across the country since the original SharePoint-on-Office-365 BAA program.

TL;DR — The HIPAA-Compliant Microsoft 365 Stack

Layer	Component	Required For
Contractual	Microsoft Business Associate Agreement (BAA)	All HIPAA-covered tenants
Licensing	Microsoft 365 E3 minimum, E5 strongly recommended	Defender, Audit Premium, Customer Lockbox
Identity	Microsoft Entra ID with MFA + Conditional Access	Covered persons access
Information Protection	Microsoft Purview Information Protection (sensitivity labels)	PHI classification + propagation
Threat Protection	Microsoft Defender for Office 365 Plan 2	Email + URL + attachment protection
Behavior Analytics	Microsoft Defender for Cloud Apps	Insider risk, anomalous access
Audit	Audit (Premium) — 6-year retention	HIPAA audit trail requirement
Support Access	Customer Lockbox	Microsoft support-access logging
Incident Response	Microsoft Sentinel	Breach detection + response
Endpoint	Microsoft Intune + Defender for Endpoint Plan 2	Device compliance

Microsoft Business Associate Agreement (BAA)

The Microsoft BAA is the contractual foundation of HIPAA compliance for Microsoft 365. Coverage details:

• Free — no additional licensing fee, but the BAA must be executed at tenant-creation time or before processing PHI
• Covers: Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Microsoft Forms, Microsoft Stream, Microsoft Loop, Power BI, Power Apps, Power Automate, Microsoft Dataverse, Microsoft Purview, and Microsoft 365 Copilot
• Does not cover by default: Microsoft 365 Apps for personal use, certain LinkedIn integrations, partner-provided third-party apps in AppSource

To execute the BAA in 2026: Microsoft 365 admin center → Service Health → Business Associate Agreement, or through your Microsoft Account Manager for Enterprise Agreement customers. Most enterprise customers have BAAs in place from initial M365 contracting; healthcare customers should verify the BAA specifically lists Microsoft 365 Copilot if Copilot deployment is planned.

Required Licensing — E3 vs E5

Microsoft 365 E3 ($36/user/month) — Minimum

E3 provides the foundational HIPAA-compatible feature set:

• Microsoft Entra ID with MFA support
• SharePoint Online, OneDrive, Teams (BAA-covered)
• Microsoft Defender for Office 365 Plan 1
• Microsoft Defender for Endpoint Plan 1
• Microsoft Intune for device management
• Microsoft Purview Information Protection (basic sensitivity labels)
• Standard audit log retention (90 days)

E3 limitations for HIPAA:

• 90-day audit log retention does NOT meet HIPAA's 6-year audit trail requirement
• Defender Plan 1 lacks attack surface reduction and behavior monitoring
• No Customer Lockbox (Microsoft support can access tenant without notification)
• No Insider Risk Management
• No Communication Compliance for protected communications

For HIPAA covered entities and business associates, E3 alone is insufficient — most HIPAA-compliant deployments add E5 Compliance ($12/user/month) or E5 Security ($12/user/month) add-ons, or upgrade directly to M365 E5.

Microsoft 365 E5 ($57/user/month) — Strongly Recommended

E5 includes everything in E3 plus:

• Audit (Premium) — 6-year audit log retention (HIPAA requirement met natively)
• Customer Lockbox — Microsoft support cannot access PHI without explicit customer approval
• Microsoft Defender for Office 365 Plan 2 — attack simulation, threat intelligence, automated investigation
• Microsoft Defender for Endpoint Plan 2 — endpoint detection + response (EDR)
• Microsoft Defender for Cloud Apps — SaaS app discovery, behavior analytics, DLP
• Microsoft Defender for Identity — on-prem AD attack detection
• Microsoft Purview Insider Risk Management — anomalous user behavior detection
• Microsoft Purview Communication Compliance — sensitive communication monitoring
• Microsoft Sentinel-fed audit logs — SIEM integration for unified incident response

E5 is the audit-defensible default for HIPAA-covered entities. The cost premium ($21/user/month over E3) is typically less expensive than purchasing the equivalent third-party tools (eDiscovery tools, third-party DLP, third-party SIEM).

Microsoft Purview Information Protection — PHI Classification

Microsoft Purview sensitivity labels are the technical control that distinguishes "tenant has BAA" from "tenant is HIPAA-compliant." Required configuration:

Sensitivity Label Taxonomy

EPC Group default healthcare sensitivity-label taxonomy:

1. Public — patient education materials, marketing content
2. Internal — operational documents, internal reports
3. Confidential — financial data, business strategy
4. PHI - Patient Identifiable — clinical records, billing claims, treatment notes (encryption applied, sharing restricted to organization)
5. PHI - Sensitive (psychiatric, genetic, HIV/AIDS, substance use) — heightened protection per HIPAA + 42 CFR Part 2 + state law
6. Confidential - Restricted — board materials, HR investigations, M&A documents

Auto-Classification Rules

Modern Microsoft Purview supports auto-classification via:

• Built-in trainable classifiers (e.g., medical terminology, ICD-10 codes)
• Custom regex patterns (MRN formats, account numbers)
• Microsoft 365 Copilot grounding hints (Copilot can suggest classification on document creation)
• Container labels at the SharePoint site level (auto-inherits to documents)

Auto-classification typical coverage for healthcare deployments: 75-85% of new documents auto-classified, 95%+ of clinical-system-exported documents auto-classified, 100% of Copilot-generated documents auto-classified.

Label Propagation

Sensitivity labels propagate from a Word document → SharePoint location → email → Teams message → exported PDF in a single Microsoft Purview pipeline. This propagation is the technical control that prevents covered PHI from leaking through downgrade paths (e.g., user copies content from a PHI-classified document into an unclassified email).

Audit (Premium) — The 6-Year Retention Requirement

HIPAA's Privacy Rule §164.312(b) requires audit controls "to record and examine activity in information systems that contain or use ePHI." HIPAA's Security Rule retention requirement is 6 years from the date of creation.

Microsoft 365 default audit retention is 90 days. Audit (Premium), included in E5, extends retention to:

• 1 year for E5 baseline
• Up to 10 years with additional configuration

EPC Group standard healthcare deployment configures Audit (Premium) for 7-year retention (HIPAA's 6-year minimum + 1-year buffer for active investigations). Configuration includes:

• Audit log retention policies for Exchange, SharePoint, OneDrive, Teams, Power BI
• High-bandwidth audit log retrieval (E5 baseline is 2GB/min retrieval; some customers need to upgrade)
• Microsoft Sentinel ingestion for unified SIEM correlation
• Quarterly audit log integrity verification (HHS-required)

Customer Lockbox — Microsoft Support Access Logging

HIPAA's "minimum necessary" principle (45 CFR §164.502(b)) requires that PHI access be limited to the minimum necessary to accomplish the purpose. By default, Microsoft support engineers can access customer tenant data for support cases without explicit customer notification.

Customer Lockbox (E5 feature) requires explicit customer approval before Microsoft support can access tenant data. When a Microsoft support engineer needs to access tenant data, the customer admin receives an email request, must explicitly approve, and the access session is logged in the Audit log.

For HIPAA-covered entities, Customer Lockbox is non-negotiable. EPC Group standard deployment enables Customer Lockbox tenant-wide and configures email + Teams notifications to a designated security distribution list (typically the Information Security Officer, the Privacy Officer, and a backup).

Microsoft Defender for Office 365 Plan 2

Defender for Office 365 Plan 2 (E5 inclusive) provides:

• Safe Attachments — sandboxed analysis of email attachments before delivery
• Safe Links — URL rewriting with click-time threat verification
• Anti-Phishing — impersonation detection, mailbox intelligence
• Threat Investigation — automated investigation and response
• Attack Simulation Training — phishing campaign simulation for users
• Threat Explorer — real-time threat hunting

For HIPAA covered entities, Defender Plan 2 is the typical floor. Plan 1 (E3 inclusive) lacks the automated investigation + attack simulation that mature healthcare security programs require.

Microsoft Sentinel — Incident Response

HIPAA's Security Rule §164.308(a)(6) requires "security incident procedures." Microsoft Sentinel is the cloud-native SIEM that consolidates audit logs from M365 + Defender + Entra ID + Power Platform into a single incident response platform.

Sentinel deployment for HIPAA covered entities typically includes:

• Data connectors for M365, Entra ID, Defender, Cloud Apps, Power BI, AWS/GCP, on-prem AD, on-prem firewalls
• Analytics rules for HIPAA-specific scenarios (mass PHI download, unusual access from non-clinical roles, sensitivity-label downgrade events, Copilot prompt-injection patterns)
• Workbooks for HIPAA-aligned dashboards
• Playbooks for automated response (auto-disable user, auto-quarantine email, auto-revoke OAuth grant)
• Watchlists for VIP users, M&A target lists, ongoing audit cases

Sentinel is licensed via Azure consumption (data ingestion + retention). Typical 2,000-employee healthcare deployment runs $8,000-$25,000/month in Sentinel costs.

Microsoft 365 Copilot for HIPAA-Covered Tenants

Microsoft 365 Copilot is BAA-covered as of 2024. Compliant Copilot deployment requires:

• BAA explicitly listing Copilot for Microsoft 365
• Sensitivity labels propagated through Copilot grounding (Copilot respects label restrictions on retrieval)
• Conditional Access policies for Copilot-licensed users
• Microsoft Sentinel analytics rules for Copilot prompt-injection detection
• Microsoft Purview AI hub configuration for sensitive-content protection
• User training on Copilot-appropriate use cases

EPC Group's standard healthcare Copilot rollout prerequisites: 30-day Copilot Readiness Assessment focused on PHI oversharing exposure, sensitivity-label coverage on clinical content sources, and Conditional Access policy review. We do not assign Copilot licenses to clinical users until oversharing remediation is complete.

Frequently Asked Questions

Is Microsoft 365 HIPAA-compliant out of the box?

No. Microsoft 365 has BAA-covered services, but compliance comes from tenant configuration. Required: signed BAA at tenant-creation time, M365 E3 minimum (E5 strongly recommended), Microsoft Purview Information Protection with PHI sensitivity labels, Audit (Premium) for 6-year audit log retention, Customer Lockbox enabled, Microsoft Defender for Office 365 Plan 2, and Microsoft Sentinel for incident response.

Does Microsoft sign HIPAA Business Associate Agreements (BAAs)?

Yes. The Microsoft Online Services BAA is free and covers Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Microsoft 365 Copilot, Power BI, Power Apps, Power Automate, Dataverse, Microsoft Forms, Microsoft Loop, and Microsoft Stream. Sign at tenant creation or via Microsoft 365 admin center.

Can I deploy Microsoft 365 Copilot for HIPAA-covered users?

Yes. Microsoft 365 Copilot is covered under the Microsoft Online Services BAA as of 2024. HIPAA-compliant Copilot deployment additionally requires Microsoft Purview sensitivity labels covering PHI sources (clinical systems, billing systems, EMR exports), Conditional Access policies for Copilot-licensed users, Microsoft Sentinel analytics rules for Copilot anomaly detection, and Microsoft Purview AI hub configuration.

What's the difference between M365 E3 and E5 for HIPAA compliance?

M365 E3 ($36/user/month) provides the foundational compliance feature set but lacks Audit (Premium) for 6-year retention, Customer Lockbox, Defender Plan 2, Insider Risk Management, and Communication Compliance. M365 E5 ($57/user/month) includes all of these natively. For HIPAA covered entities, E5 is the audit-defensible default. The cost premium ($21/user/month) is typically less expensive than purchasing equivalent third-party tools.

How does HIPAA's 6-year audit retention requirement work in M365?

HIPAA Security Rule §164.316(b)(2)(i) requires retention of policies, procedures, and audit records for 6 years from creation or last effective date. Microsoft 365 default audit retention is 90 days; Audit (Premium) included in E5 extends to 1-10 years configurable. EPC Group standard healthcare configuration is 7-year retention (6 + 1 year buffer).

What does a typical HIPAA-compliant M365 deployment cost?

License cost for 2,000 healthcare employees on E5: $57 × 2,000 × 12 = $1,368,000/year. EPC Group fixed-fee implementation accelerator for HIPAA-aligned M365 deployment: $250,000-$650,000 covering BAA verification, Microsoft Purview sensitivity-label rollout, Audit (Premium) configuration, Customer Lockbox enablement, Microsoft Sentinel deployment, Microsoft 365 Copilot Readiness Assessment, and written compliance posture assessment.

Is OneDrive HIPAA-compliant?

OneDrive for Business is BAA-covered and HIPAA-compatible when deployed with proper sensitivity labels, sharing restrictions, and audit retention. EPC Group standard configuration disables external sharing for OneDrive accounts of clinical users, applies PHI sensitivity-label auto-classification on file upload, and enables Audit (Premium) on OneDrive activities for 6-year retention.

Can Microsoft Teams be used for HIPAA-protected communications?

Yes. Microsoft Teams is BAA-covered and supports HIPAA-compliant deployment. Required configuration: sensitivity labels for Teams chats and meetings, retention policies for compliance recording, Communication Compliance policies for sensitive communication monitoring, and Microsoft Defender for Office 365 Plan 2 for attachment + URL protection. Teams Phone for clinical voice communications additionally requires call recording compliance configuration.

How EPC Group Delivers HIPAA-Compliant M365

EPC Group has delivered HIPAA-compliant Microsoft 365 deployments for hospital systems, payer organizations, post-acute care providers, and digital health platforms since the original SharePoint-on-Office-365 BAA program. Errin O'Connor's federal IT reform advisory work under former Federal CIO Vivek Kundra contributed to early federal cloud-first policy that informs our compliance methodology.

Every HIPAA-compliant M365 engagement we deliver includes:

• Microsoft BAA verification (or new BAA execution if missing)
• HIPAA Security Rule control mapping (45 CFR §164.308 administrative, §164.310 physical, §164.312 technical safeguards)
• Microsoft Purview sensitivity-label taxonomy design with PHI auto-classification rules
• Audit (Premium) 7-year retention configuration
• Customer Lockbox enablement
• Microsoft Defender for Office 365 Plan 2 configuration
• Microsoft Sentinel deployment with HIPAA-specific analytics rules
• Microsoft 365 Copilot Readiness Assessment (when Copilot deployment is planned)
• Incident Response runbook scoped to HHS Office for Civil Rights breach notification timelines
• Written compliance posture assessment for legal/audit review

Next Steps

Schedule a 30-minute discovery call at /schedule or call (888) 381-9725. Senior architects (not sales reps) take discovery calls. We'll discuss your current healthcare M365 footprint, identify HIPAA compliance gaps, and outline next steps. No obligation, no sales pressure.

Related reading: Microsoft 365 Copilot Enterprise Implementation Guide, Microsoft Purview Enterprise Data Governance, and AI Governance Healthcare HIPAA Guide.