Azure AI BAA/HIPAA Compliance

Question

My company is currently evaluating Azure’s AI services for healthcare applications, and we’d like to better understand how Azure supports HIPAA compliance. Specifically, how can we ensure that our clients' patient data remains confidential and secure under Azure’s infrastructure?

Are there specific configurations, agreements (e.g., BAA), or best practices we should be aware of to maintain HIPAA compliance when using Azure AI tools like OpenAI, or other related components?

Thanks in advance for your guidance!

Answer 1

Hello Neil Sanghavi,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

For more full specific guidance on how to configure Azure OpenAI to ensure HIPAA compliance, step-by-step guide or confirmation of the necessary contractual and technical measures. Additionally, to address the division of responsibilities under the Shared Responsibility Model between Microsoft and its customers. In the below, I will close gap from previous response by @Manas Mohanty , correct possible confusion, and reinforcing Microsoft’s position on data privacy, model eligibility, and customer responsibilities.

1. To grasping HIPAA's Requirements on Azure and AI Services. HIPAA compliance mandates more than just platform usage—it requires a combination of technical, physical, and administrative safeguards to protect health information. While Microsoft Azure is built to support HIPAA and HITRUST standards, simply using the platform doesn't make you compliant. Organizations must proactively configure and manage their environments to meet the required security controls. Read more on Microsoft HIPAA/HITECH Guidance.
2. To ensure your use of Azure aligns with HIPAA regulations, you must verify that your licensing includes the Microsoft BAA. This is typically incorporated through the Microsoft Data Protection Addendum DPA, which is automatically included for customers under valid licensing models such as Enterprise Agreements, Microsoft 365, or CSP arrangements. You can download confirmation documents, including the DPA and BAA, directly from the Microsoft Service Trust Portal. For reference on BAA Overview
3. To implementing HIPAA-Specific configurations in Azure, understand that when set up properly, several Azure services become eligible for use with protected health information PHI, such as:
   • Azure OpenAI for text-based inputs only
   • Azure Cognitive Services e.g., LUIS, Text Analytics, Translator
   • Azure Machine Learning
   • Azure Functions and Bot Services within compliant hosting
   • Key Configuration Areas and required Setup are the followings:
   • Data Security: Ensure data is encrypted both at rest and in transit. Use Azure Key Vault to manage your own encryption keys.
   • Access Management: Enforce identity safeguards through Role-Based Access Control RBAC, Azure Active Directory, Conditional Access, and MFA.
   • Regional Restrictions: Store and process data exclusively in U.S. or other HIPAA-compliant regions.
   • Threat Detection: Enable tools like Microsoft Defender for Cloud, Azure Monitor, and Log Analytics for continuous monitoring and threat detection.
   • Compliance Monitoring: Track compliance using Microsoft Compliance Manager with a HIPAA template to assess control implementation.
   • For more details and step-by-steps, use these following links:
   • https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-overview
   • https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-defaults
   • https://learn.microsoft.com/en-us/azure/architecture/data-guide/technology-choices/data-residency
   • https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction
   • https://learn.microsoft.com/en-us/purview/compliance-manager-setup
4. For Handling Protected Health Information in Azure OpenAI: Azure OpenAI is eligible for HIPAA-covered workloads—but only for production-level text-based interactions. Preview features or non-text models such as DALL·E or voice inputs are not currently HIPAA-compliant unless explicitly stated. Additionally, Microsoft ensures customer data is not used to retrain OpenAI models, and users can opt out of any logging to further enhance privacy. Read more on Azure OpenAI Data Handling here.
5. For SaaS Providers and their HIPAA responsibilities: If you’re a SaaS provider managing PHI, your responsibility extends beyond using HIPAA-eligible infrastructure. You must establish your own Business Associate Agreement BAA with your clients, ensuring they understand that Microsoft serves as your subprocessor. Furthermore, you should isolate tenant data securely using multi-tenant controls or Azure AD B2B and keep audit logs readily available for compliance assessments or third-party audits. Read more details on HIPAA SaaS Responsibilities here.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Answer 2

Hi Neil Sanghavi,

I have tried to cover all aspects of HIPPA compliance on Azure AI services from Definition to Generating compliance reports in below sections.

0.HIPAA-Eligible Azure AI Services

1. Azure OpenAI Service
   • HIPAA-eligible for text-based inputs.
   • Covered under Microsoft’s Business Associate Agreement (BAA) through the Microsoft Online Services Data Protection Addendum (DPA)
2. Azure Cognitive Services
   • Many components are HIPAA-eligible, including:
   • Text Analytics (e.g., sentiment analysis, key phrase extraction)
   • Language Understanding (LUIS)
   • Speech Services (speech-to-text, text-to-speech)
   • Translator
   • Computer Vision and Face API are not HIPAA-eligible by default—avoid using them with PHI unless explicitly approved.
3. Azure Machine Learning
   • HIPAA-eligible when used with proper configurations (e.g., secure data storage, access controls, encryption).
   • Supports training and deploying models in a compliant environment.
4. Azure Bot Services
   • Can be HIPAA-compliant when integrated with other HIPAA-eligible services and configured securely.

1.HIPAA Compliance and Business Associate Agreement (BAA)

HIPAA applies to covered entities – doctors’ offices, hospitals, health insurers, and other healthcare companies – that create, receive, maintain, transmit, or access PHI. HIPAA further applies to business associates of covered entities that perform certain functions or activities involving PHI as part of providing services to the covered entity or on behalf of the covered entity.

When a covered entity engages the services of a cloud service provider (CSP), such as Microsoft, the CSP becomes a business associate under HIPAA. Moreover, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit PHI, the CSP also becomes a business associate.

Microsoft provides a Business Associate Agreement (BAA) through the Microsoft Online Services Data Protection Addendum (DPA).

You do not need to sign a separate BAA if you're already using Azure under a qualifying licensing agreement (e.g., Enterprise Agreement or Cloud Solution Provider agreement)

But your customers who are healthcare providers or covered entities under HIPAA can sign a BAA directly with you. They don't need to have a BAA in place with Microsoft to use your SaaS solution.

The Microsoft BAA terms incorporated into your licensing agreement with Microsoft wouldn't be applicable to your customers unless they also happen to be Microsoft customers and have separate licensing agreements in place with Microsoft.

Reference - https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-hipaa-us

HIPAA BAA location - https://aka.ms/baa

---

2. Key Security Configurations for HIPAA Compliance

To ensure HIPAA compliance when using Azure AI services, Customer need implement the follow the mandates required in below Azure Policies. Microsoft only facilitates it and not responsible for it directly

https://learn.microsoft.com/en-us/azure/governance/policy/samples/hipaa-hitrust-9-2

Here is the high-level summary of actions in above .

a. Data Residency

• Host all PHI (Protected Health information) in Azure regions within the U.S. or other HIPAA-compliant jurisdictions. You can use Data zone model deployment

b. Encryption

• Use encryption at rest and in transit (Azure provides this by default).
• For added control, manage your own keys using Azure Key Vault.

c. Access Controls

• Implement Role-Based Access Control (RBAC).
• Use Azure Active Directory (AAD) for identity and access management.
• Enable Multi-Factor Authentication (MFA) for all users accessing PHI. Reference:

d. Monitoring and Auditing

• Enable Azure Monitor, Azure Security Center, and Microsoft Defender for Cloud to track access and detect anomalies.
• Maintain audit logs for all access to PHI.

e. Data Management

• Avoid sending unnecessary PHI to AI models.
• Use de-identification or anonymization techniques where possible.

---

3. Special Considerations for Azure OpenAI

• Text Inputs: HIPAA compliance is supported for text-based interactions with Azure OpenAI when proper safeguards are in place 2.
• Image Inputs (e.g., DALL·E): These are not currently covered under HIPAA compliance by default. Avoid sending PHI in image form unless you have verified compliance through other Azure services 2.

4. Compliance Management

You can use the Azure Purview Compliance Manager to assess and manage HIPAA compliance and create Audit reports.

https://learn.microsoft.com/en-us/purview/compliance-manager-setup

Hope it helps.

Thank you