Is Microsoft Exchange HIPAA compliant? (2026 update)

Microsoft Exchange Online is Microsoft’s hosted business email service that provides email, calendars, contacts, and related messaging features through Microsoft 365. Microsoft describes Exchange Online as part of Office 365, and Exchange Online is listed by Microsoft as an in-scope service for its HIPAA offering.

Is Microsoft Exchange HIPAA compliant? Yes, Microsoft Exchange can be HIPAA compliant, but there are limitations.

What changed this year?

As of April 2026, our review did not identify any publicly disclosed changes to Microsoft Exchange HIPAA-related policies or BAA terms. Microsoft still lists Exchange Online as an in-scope service and still says its HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default.

Will Microsoft Exchange sign a BAA?

Yes, Microsoft will sign a business associate agreement, which can be reviewed here. Microsoft says its HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default to covered entities and business associates under HIPAA.

What does the Microsoft Exchange BAA cover?

Microsoft says it offers a BAA that covers in-scope Microsoft services, and Exchange Online is listed among those in-scope Office 365 services. Microsoft states that the Business Associate Agreement covers in-scope Microsoft services.

Their BAA covers:

• Exchange Online as an in-scope Microsoft service.
• Protection of PHI through Microsoft’s business associate commitments.
• Reporting obligations, including breach notifications.
• Data access commitments in accordance with HIPAA and the HITECH Act.
  
  

What does the Microsoft Exchange BAA exclude?

Microsoft does not present Exchange Online as automatically making a customer HIPAA compliant. Its terms say that using Microsoft services doesn't, on its own, achieve HIPAA compliance.

Microsoft also says a customer cannot substitute its own BAA for Microsoft’s standard form. Its terms state that Microsoft can't use a customer's Business Associate Agreement.

That means Microsoft Exchange Online can support HIPAA compliance, but the customer still has to configure and use it appropriately within its own compliance program.

Conclusion

Microsoft Exchange is HIPAA compliant, but only when a covered entity or business associate uses Exchange Online as an in-scope Microsoft service under Microsoft’s BAA and manages its own HIPAA compliance obligations correctly.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQS

What is a business associate agreement?

A BAA is a legally binding contract establishing a relationship between a covered entity under HIPAA and its business associates. The purpose of this agreement is to ensure the proper protection of PHI as required by HIPAA regulations.

What is HIPAA?

HIPAA sets national standards for protecting the privacy and security of certain health information, known as PHI. HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.