![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 38%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
Microsoft Teams | Microsoft Teams for business | Other
Additional features, settings, or issues not covered by specific Microsoft Teams categories
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 17%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
Hi @Allyse Eide,
Thank you for reaching out, and I truly appreciate the detailed context you’ve provided regarding your current subscription and cost considerations.
Based on your description, I’d like to provide clarity on your question:
Yes, Microsoft 365 Business Basic can meet HIPAA compliance requirements for a small healthcare practice or business, including the use of Teams and Outlook email for PHI, as long as you take the proper steps to configure security and privacy settings.
You will be able to enter into (or rather, be covered by) a Business Associate Agreement (BAA) with Microsoft, this is automatically provided once you’re on a Business plan using in-scope services. Encryption is built-in at multiple levels (disk encryption, network encryption) to protect data, satisfying key HIPAA technical safeguards.
1/ Important considerations and limitations
- Custom Policies & Training: Business Basic does not include advanced compliance features like automatic Data Loss Prevention (DLP). You’ll need to rely on staff training and documented procedures for handling PHI, since the system won’t automatically catch every mistake.
- Security Best Practices: Enable MFA, enforce strong passwords, limit external sharing, review audit logs regularly, and use available encryption options for email (even if manual).
- Documentation: Update your HIPAA risk assessment and compliance policies to reflect how you’re using Microsoft 365 Basic and what controls you have in place. HIPAA requires administrative safeguards in addition to technical ones.
2/ Cost perspective
Financially, your point is well taken transitioning to the Business Basic plan could save nearly 300 USD per person annually. Many small healthcare providers have successfully adopted this plan, especially when it's paired with a BAA and strong internal policies.
Note: With Business Basic, compliance responsibility leans more on your internal practices since the plan doesn’t automatically block confidential data leaks. There is no HIPAA rule requiring Business Premium or any specific plan what matters is implementing the required safeguards, which is achievable on Business Basic.
I hope this helps clarify your current subscription and any cost-related concerns. I'm happy to assist and truly hope the information provided has been helpful. Please feel free to reach out anytime if you need further assistance.
If you find my post helpful, kindly consider marking it as the accepted answer. Doing so can assist others in the community who may have similar questions in finding solutions more quickly. Thank you for your kindness and contributions to the forum.
Note: Follow the steps in our documentation to enable email notifications if you want to receive email notifications related to this topic.