Microsoft Teams can be used in a HIPAA-compliant way, but the platform alone doesn’t make you compliant. Microsoft offers a Business Associate Agreement (BAA) that covers Teams, and Teams includes the technical safeguards needed to protect health information. However, HIPAA compliance depends heavily on how your organization configures and uses the platform. The tool is compliant-capable; your setup is what determines whether you’re actually meeting the law’s requirements.
Microsoft’s BAA Covers Teams
The single most important requirement for using any cloud service with protected health information (PHI) is having a signed Business Associate Agreement with the vendor. Without one, your organization is violating HIPAA, full stop. The U.S. Department of Health and Human Services is explicit on this point: if a covered entity uses a cloud service provider to store or process electronic PHI without a BAA in place, the covered entity is in violation of HIPAA Rules.
Microsoft makes this straightforward. Its BAA is available through the Microsoft Online Services Data Protection Addendum and applies by default to all customers who are covered entities or business associates under HIPAA. You don’t need to negotiate a special contract or upgrade to a specific plan to get it. Teams is included as an in-scope service alongside SharePoint, OneDrive, and the broader Office 365 suite. That said, you should confirm the BAA is active in your admin center and keep documentation showing it’s in place.
What Microsoft Handles vs. What You Handle
HIPAA compliance in the cloud follows a shared responsibility model. Microsoft secures the infrastructure: the physical data centers, the servers, the network hardware, and the platform software that runs Teams. They encrypt data in transit and at rest, maintain uptime, and undergo independent security assessments, including FedRAMP authorization.
Everything else is on you. Microsoft’s own documentation is clear that customers always retain responsibility for their data, their user accounts, their endpoints (laptops, phones, tablets), and their access management. In practical terms, this means your organization is responsible for:
- Access controls: Setting up multi-factor authentication, role-based permissions, and conditional access policies so only authorized staff can reach PHI.
- Data governance: Deciding what types of information can be shared in Teams chats, channels, and file libraries, and enforcing those decisions with policies.
- Device security: Protecting the phones and computers your staff use to access Teams, including requiring screen locks, encryption, and remote wipe capability for lost devices.
- User training: Making sure employees know they shouldn’t share patient information in channels with unnecessary participants, forward PHI outside the organization, or use personal accounts for work conversations.
- Audit logging: Microsoft 365 provides audit logs to monitor user activity. Your organization needs to actually review them and have a process for detecting and responding to incidents.
A common misconception is that buying a Microsoft 365 license and signing the BAA makes an organization HIPAA compliant. It doesn’t. If your staff shares patient records in an open Teams channel that includes unauthorized users, or if you haven’t enabled multi-factor authentication, you’re non-compliant regardless of what Microsoft provides on the backend.
How PHI Flows Through Teams
When someone sends a chat message in Teams, that message is encrypted in transit and stored in encrypted form in Microsoft’s cloud. Files shared in a Teams channel are stored in SharePoint; files shared in one-on-one chats are stored in OneDrive. Both services are covered under Microsoft’s BAA, so the entire chain of communication and storage falls within the agreement’s scope.
This matters because HHS guidance specifies that any cloud provider that creates, receives, maintains, or transmits electronic PHI qualifies as a business associate, even if the provider only handles encrypted data and never has the decryption key. Microsoft doesn’t get a pass just because data is encrypted. The BAA covers this relationship explicitly.
Video calls and voice calls through Teams are also encrypted in transit. If your clinicians use Teams for telehealth visits, the platform’s encryption meets the technical safeguard requirements. But again, the security of the endpoints (the devices on both ends of the call) remains your responsibility.
Configuration Steps That Actually Matter
Getting Teams into a HIPAA-compliant state requires specific administrative actions. These aren’t optional best practices; they’re the controls that make the difference between a compliant deployment and a liability.
Start with identity and access. Enable multi-factor authentication for every user who will access PHI through Teams. Set up conditional access policies so that Teams can only be accessed from managed, compliant devices. Remove guest access or tightly restrict it so external users can’t stumble into channels containing patient information.
Next, configure data loss prevention (DLP) policies. Microsoft 365 includes tools that can scan messages and files for patterns that look like PHI (Social Security numbers, medical record numbers, health plan IDs) and block or flag them before they leave your organization. These policies don’t configure themselves. An administrator needs to set them up and test them.
Retention policies also need attention. HIPAA requires that you maintain certain records for six years. Configure retention settings in Teams so that chat messages and files are preserved for the required period and can’t be deleted by individual users before that window closes.
Finally, turn on and monitor the unified audit log in Microsoft 365. This log captures who accessed what, when, and from where. Without active monitoring, you have no way to detect unauthorized access or demonstrate compliance during an audit.
Where Organizations Get Into Trouble
The most common compliance failures with Teams aren’t technical. They’re behavioral. A nurse sends a patient’s lab results in a group chat that includes an administrative assistant who doesn’t need access. A physician shares a screen during a Teams call with a patient’s chart visible to meeting participants who aren’t part of the care team. Someone installs Teams on a personal phone with no passcode.
These scenarios all represent HIPAA violations regardless of how well the underlying platform is secured. Your organization needs written policies that specifically address how Teams should and shouldn’t be used for PHI, and staff need regular training on those policies. The technical controls described above can catch some mistakes, but they can’t replace human judgment about what information belongs in which conversation.
Third-party apps and integrations within Teams also deserve scrutiny. If you install a bot or connector that processes message content, that third party may also be handling PHI and would need its own BAA. Every integration point is a potential compliance gap if it’s not evaluated separately.
Teams vs. Consumer Messaging Apps
One reason healthcare organizations choose Teams is that it replaces the informal texting and messaging that staff often default to. Standard SMS, iMessage, WhatsApp, and similar consumer tools typically don’t offer BAAs, don’t provide organizational audit logs, and don’t allow administrators to enforce access controls or retention policies. Using them for PHI is a HIPAA violation.
Teams solves this by putting clinical communication inside a platform your IT department can manage, monitor, and secure. It consolidates chat, video, file sharing, and voice calls into one environment covered by a single BAA. For organizations already paying for Microsoft 365, it also eliminates the need to purchase a separate HIPAA-compliant messaging product.