![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 94%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | Subscription, account, billing | For business | Windows
Microsoft 365 features that help users manage their subscriptions, account settings, and billing information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 98%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKL%3C/text%3E%3C/svg%3E)
Hi @Jaskirat Singh,
Welcome to Microsoft Q&A forum.
Thank you for reaching out. I understand your need for clear guidance on how Microsoft 365 supports your organization’s HIPAA compliance - especially regarding the Business Associate Agreement (BAA), assessment templates, technical safeguards, and audit logging.
Below is a clean breakdown of how each element works in Microsoft 365:
1/ Business Associate Agreement (BAA)
- Microsoft provides a HIPAA Business Associate Agreement automatically through the Microsoft Online Services Data Protection Addendum (DPA) for covered entities and business associates using eligible Microsoft cloud services. In practice, this means that once your organization uses in‑scope Microsoft 365 services and accepts the Online Services Terms/DPA, you are already covered under Microsoft’s BAA wording: Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Eco….
- Your administrator can sign in to the Service Trust Portal, go to the HIPAA section, and download the relevant documentation - including the DPA/BAA text and HIPAA support materials.
- Microsoft’s HIPAA/HITECH information explicitly notes that Microsoft enters into BAAs with covered entity and business associate customers using eligible services.
2/ HIPAA/HITECH compliance assessment in Compliance Manager
You can run a compliance assessment directly in Microsoft Purview’s Compliance Manager:
- Go to Microsoft Purview Portal > Compliance Manager > Assessments > + Add assessment
- Select HIPAA/HITECH from the regulations list
- Create an assessment scoped to the Microsoft 365 services you use: Build and manage assessments in Compliance Manager.
Licensing notes:
- All tenants get the Microsoft Data Protection Baseline included.
- E5/A5/G5 tenants can choose up to three premium regulations at no extra cost.
- Other regulations - including HIPAA/HITECH in many E3 tenants - may require a paid add‑on. Check Compliance Manager > Regulations to see what is available in your tenant: Compliance Manager regulations list.
3/ Technical safeguards
a) Data Loss Prevention (DLP) for PHI
- E3/E1: Includes core DLP for Exchange Online, SharePoint Online, and OneDrive.
- E5 / Purview Suite add‑ons: Adds Teams Chat/Channel DLP and Endpoint DLP, both important for PHI protection across devices and Teams collaboration: Learn about data loss prevention.
b) Microsoft Purview Message Encryption (formerly OME)
Included in:
- Microsoft 365 E3/E5
- Office 365 E3/E5
- Several government/education plans
No additional licensing is required if you already have one of these suites: Message encryption FAQ.
4/ Audit logging & HIPAA retention expectations
Audit is enabled by default:
- Unified audit logging is automatically on for all Microsoft 365 tenants. You can view logs under: Purview > Audit: Audit log activities.
Retention periods: Manage audit log retention policies.
- Audit Standard (E1/E3): Most workloads retained for 180 days
- Audit Premium (E5 / Purview / E5 Compliance add‑on):
- 1‑year default retention for Exchange, SharePoint, OneDrive, and Entra ID
- Ability to create custom retention policies
- Other workloads: 180 days
- 10‑year retention: Available through the Audit (Premium) 10‑year add‑on.
I hope this information is helpful. Please try the steps and let me know whether they resolve the issue. If the problem persists, we can work together to find a solution.
As other users will also search for information in this community, your vote can significantly help those with similar inquiries quickly locate the most relevant resources.
Thank you for your kindness and for contributing to the forum.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
