What Microsoft 365 license is needed for HIPAA compliance?

Microsoft 365 E3 ($36/user/month) meets minimum HIPAA requirements with basic DLP, retention, and audit logging. Microsoft 365 E5 ($57/user/month) is recommended for healthcare organizations because it includes: Microsoft Defender for Office 365 Plan 2, Advanced eDiscovery, Insider Risk Management, Communication Compliance, Information Barriers, and enhanced audit logging. EPC Group recommends E5 for organizations handling significant PHI volumes.

How do I get a Microsoft BAA for HIPAA?

Microsoft provides the BAA through the Microsoft Trust Portal. For enterprise customers: navigate to Microsoft 365 admin center → Settings → Org Settings → Security & Privacy → HIPAA → Accept the BAA. The BAA covers M365 core services (Exchange, SharePoint, Teams, OneDrive), Azure services, and Dynamics 365. EPC Group verifies BAA acceptance as the first step in every HIPAA-compliant M365 deployment.

How do you protect PHI in Microsoft Teams?

PHI protection in Teams requires: 1) DLP policies that detect and block PHI sharing in chats and channels, 2) Sensitivity labels on Teams and channels containing PHI (restrict external sharing, prevent downloads), 3) Information barriers between clinical and non-clinical departments, 4) Retention policies for clinical communications, 5) eDiscovery holds for legal and compliance, 6) Guest access restrictions for PHI-labeled teams, 7) Audit logging for all PHI access events. EPC Group configures all of these controls during HIPAA M365 deployment.

What are the HIPAA email encryption requirements for Microsoft 365?

HIPAA requires encryption for PHI transmitted electronically. Microsoft 365 provides: Office Message Encryption (OME) for encrypting emails to external recipients, Transport Layer Security (TLS) for in-transit encryption between M365 tenants, S/MIME for certificate-based encryption, and sensitivity labels that auto-encrypt emails containing PHI. EPC Group implements DLP transport rules that automatically encrypt outbound emails containing PHI patterns (SSN, MRN, diagnosis codes) — ensuring compliance without relying on user behavior.

How do you audit PHI access in Microsoft 365?

HIPAA requires audit trails for all PHI access. Microsoft 365 provides: Unified Audit Log (captures all M365 activity), Mailbox Audit Logging (tracks email access and actions), SharePoint audit logs (document access, sharing, modifications), Advanced Audit in E5 (long-term retention, high-value event logging), and Microsoft Purview Audit (Premium) for forensic investigation. EPC Group configures audit log retention for 1-7 years (depending on state requirements), creates automated alerts for suspicious PHI access patterns, and builds compliance dashboards for HIPAA officers.

HIPAA-Compliant Microsoft 365 Deployment Guide 2026

HIPAA Control	M365 E3	M365 E5	Recommendation
BAA Coverage	Yes	Yes	Both covered
DLP for PHI	Basic (email only)	Advanced (email + Teams + endpoints)	E5 for full coverage
Email Encryption	OME included	OME + S/MIME	E3 sufficient
Audit Logging	90-day retention	1-year retention + advanced audit	E5 for HIPAA 7-year req
Insider Risk Management	Not included	Included	E5 required
Information Barriers	Not included	Included	E5 for clinical isolation
eDiscovery	Standard	Premium (legal holds, review sets)	E5 for investigations
Sensitivity Labels	Manual only	Auto-labeling at scale	E5 for enterprise PHI

Last updated: 2026 · Read time: ~7 minutes

Microsoft 365 supports HIPAA compliance but requires 7 configuration phases: BAA verification, identity controls, DLP for PHI detection, email encryption, Teams and SharePoint PHI controls, audit logging, and validation documentation. This guide covers each phase. EPC Group delivers HIPAA-compliant M365 deployments in 8–12 weeks.

Key facts

Microsoft signs a HIPAA Business Associate Agreement (BAA) at no cost for E3/E5 enterprise customers.
The BAA must be executed before any PHI enters Microsoft 365 — execute at tenant creation.
Microsoft 365 E5 ($57/user/mo) includes the full HIPAA compliance toolset.
Microsoft 365 E3 ($36/user/mo) requires add-ons for full HIPAA coverage.
EPC Group deploys HIPAA-compliant M365 for healthcare organizations in 8–12 weeks.

The 7 HIPAA configuration phases

A HIPAA-compliant Microsoft 365 deployment requires seven sequential configuration phases. Each builds on the previous one. Skipping phases creates compliance gaps.

Phase 1: BAA verification

Execute the Microsoft BAA before any PHI enters the tenant. The BAA is in the Microsoft 365 admin center under Settings → Org settings → Security & privacy → Business Associate Agreement.

Phase 2: Identity controls

Require MFA for all users via Conditional Access policy.
Block sign-ins from unmanaged devices for PHI-access applications.
Require compliant or hybrid-joined devices for Exchange, SharePoint, and Teams.
Configure named location policies to restrict access from non-approved networks where required.

Phase 3: DLP policies for PHI detection

Create DLP policies using Microsoft's built-in HIPAA template in Microsoft Purview.
Apply to Exchange Online, SharePoint Online, OneDrive, and Teams chat and channels.
Configure policy tips to notify users when PHI is detected before they send.
Set enforcement actions: block sharing of PHI outside the organization.

Phase 4: Email encryption (OME)

Configure Microsoft Purview Message Encryption (OME) to encrypt outbound emails containing PHI.
Create transport rules that trigger OME when PHI-sensitive content is detected.
Test encryption delivery to external recipients (non-Microsoft mail clients).

Phase 5: Teams and SharePoint PHI controls

Seven controls are required for Teams and SharePoint in a HIPAA deployment:

DLP policies detecting PHI in Teams chat and channel messages.
Sensitivity labels on Teams and channels containing PHI — restricts external sharing and guest access.
Information barriers between clinical and non-clinical departments.
Retention policies on clinical communications for the required HIPAA retention period.
eDiscovery holds for legal and compliance investigations.
Guest access restrictions for PHI-labeled teams.
Audit logging for all PHI access events in Teams and SharePoint.

Phase 6: Audit logging

HIPAA Security Rule §164.312(b) requires activity reviews. Microsoft 365 provides:

Unified Audit Log — captures all M365 activity (requires E3 or higher).
Mailbox Audit Logging — tracks email access, delegation, and sending actions.
SharePoint Audit Logs — document access, sharing, and modification events.
Purview Audit (Premium) — 6-year retention for forensic investigation (E5 or add-on).

Phase 7: Validation documentation

Document every control implemented against HIPAA Security Rule safeguard categories.
Produce a System Security Plan (SSP) equivalent mapping M365 controls to HIPAA requirements.
Run a simulated PHI exfiltration test to validate DLP and Conditional Access policies work.
Conduct a tabletop exercise for the HIPAA breach response procedure.

Microsoft 365 licensing for HIPAA

E5 is the most complete HIPAA licensing option. E3 with targeted add-ons covers most requirements at lower per-user cost.

| Feature | E3 ($36/user/mo) | E5 ($57/user/mo) | |---|---|---| | BAA support | Yes | Yes | | Purview DLP | Yes | Yes | | Purview Audit standard | 90-day retention | 90-day retention | | Purview Audit Premium | Add-on required | Included | | Defender for Office 365 Plan 2 | Add-on required | Included | | Insider Risk Management | Add-on required | Included | | Customer Lockbox | Add-on required | Included | | Communication Compliance | Add-on required | Included |

Frequently asked questions

Is Microsoft 365 HIPAA compliant out of the box?

No. Microsoft 365 is HIPAA-capable — but compliance requires your organization to execute the BAA, configure DLP policies, set up Conditional Access, implement sensitivity labels, enable audit logging, and document the controls. EPC Group completes these seven phases in 8–12 weeks.

Does Microsoft sign a HIPAA BAA?

Yes. Microsoft provides a standard HIPAA Business Associate Agreement (BAA) at no cost for enterprise M365 customers. It is available in the Microsoft 365 admin center. Execute it before any PHI enters the tenant — Microsoft will not retroactively sign.

Which Microsoft 365 license is best for HIPAA?

E5 ($57/user/mo) is the most complete option — it includes Purview Audit Premium (6-year retention), Defender for Office 365 Plan 2, Insider Risk Management, and Customer Lockbox. E3 ($36/user/mo) works for most HIPAA requirements with targeted compliance add-ons.

Can Microsoft Teams be used for clinical communications?

Yes — when configured correctly with DLP policies, sensitivity labels, information barriers, and audit logging. Many health systems use Teams for clinical care coordination under a valid Microsoft BAA. EPC Group configures and validates the HIPAA controls before any PHI enters Teams.

How long does a HIPAA-compliant M365 deployment take?

EPC Group completes HIPAA-compliant M365 deployments in 8–12 weeks. This covers all seven configuration phases, documentation, and a validation test before go-live. Larger organizations with multiple sites or existing legacy compliance controls may run 12–16 weeks.

Deploy HIPAA-compliant Microsoft 365

Talk to an EPC Group healthcare technology architect. Call (888) 381-9725 or request a 30-minute discovery call.

HIPAA Control	M365 E3	M365 E5	Recommendation
BAA Coverage	Yes	Yes	Both covered
DLP for PHI	Basic (email only)	Advanced (email + Teams + endpoints)	E5 for full coverage
Email Encryption	OME included	OME + S/MIME	E3 sufficient
Audit Logging	90-day retention	1-year retention + advanced audit	E5 for HIPAA 7-year req
Insider Risk Management	Not included	Included	E5 required
Information Barriers	Not included	Included	E5 for clinical isolation
eDiscovery	Standard	Premium (legal holds, review sets)	E5 for investigations
Sensitivity Labels	Manual only	Auto-labeling at scale	E5 for enterprise PHI