Share via

BAA for Azure Foundry models

Alex Tran 0 Reputation points
2026-03-16T13:40:52.71+00:00

Hi there,

We were told to come here to ask about signing a BAA with Azure Foundry so that we can use the HIPAA compliant version of OpenAI, Anthropic, and Gemini models within Foundry with ZDR (zero data retention) given that we operate in the health tech space. There is no information publicly about the steps to get one or who to contact and we have a time sensitive need for it in the next week, so if you could please help us, that would be greatly appreciated.

Thank you

Azure OpenAI Service
Azure OpenAI Service

An Azure service that provides access to OpenAI’s GPT-3 models with enterprise capabilities.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manas Mohanty 16,190 Reputation points Microsoft External Staff Moderator
    2026-03-19T07:58:34.0866667+00:00

    Hi Alex Tran

    There is no additional BAA signing required unless models are accessed outside Azure.

    You can refer and use the Addendum (References attached in above answer) to sign the agreements with customers as best practice

    There is default retention of 30 days which can be overridden to 0 for managed customer.

    Managed customer can opt out data retention by submitting details on Advanced abuse monitoring form.

    Reference.

    https://learn.microsoft.com/en-us/azure/foundry/openai/concepts/abuse-monitoring#modified-abuse-monitoring

    Thank you

  2. Karnam Venkata Rajeswari 1,650 Reputation points Microsoft External Staff Moderator
    2026-03-16T14:58:42.0733333+00:00

    Hello Alex Tran,

    Welcome to Microsoft Q&A and Thank you for reaching out.

    The BAA is part of the Microsoft Online Services Data Protection Addendum (DPA). BAA is already in effect automatically for (EA / MCA / CSP)

    Since you are consuming OpenAI, Anthropic, and Gemini through Azure AI Foundry, there is no separate BAA request per model.

    The HIPAA Business Associate Agreement is provided by Azure itself via the Microsoft Products and Services Data Protection Addendum (DPA) and applies automatically for customers on Enterprise Agreement, Microsoft Customer Agreement, or CSP.

    To proceed, please

    • Confirm your Azure subscription type if it falls under (EA / MCA / CSP).
    • Retain the DPA / HIPAA documentation from the Service Trust Portal
    • Deploy the solution using HIPAA‑aligned configurations (U.S. regions, encryption, RBAC, private networking)

    There is no additional BAA signing required unless models are accessed outside Azure.

    References

    HIPAA - Azure Compliance | Microsoft Learn

    Licensing Documents

    Regulatory Compliance details for HIPAA HITRUST - Azure Policy | Microsoft Learn

    Please let me know if you have any questions.

    Thank you!

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

     

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.