Is Microsoft Copilot HIPAA Compliant?

Why healthcare teams get confused about Copilot and HIPAA

Microsoft markets Copilot across several different products, and the compliance story is completely different for each one. A small medical practice might see Copilot in their Outlook and assume it carries the same enterprise compliance posture as their Microsoft 365 tenant. That assumption is wrong and it's the kind of mistake that creates real liability.

HIPAA doesn't certify software. It requires covered entities and their business associates to sign a BAA before any PHI touches a third-party system. Microsoft will sign a BAA for specific services under specific plans, but the BAA doesn't automatically extend to every feature labeled 'Copilot.' You have to check which services are in scope and configure the product accordingly.

What Microsoft actually covers, and what it doesn't

Microsoft publishes a list of services covered under its HIPAA BAA. As of 2025, Copilot for Microsoft 365 (the version embedded in Word, Excel, Teams, and Outlook) is included on that list for eligible enterprise and business plans, specifically Microsoft 365 E3, E5, Business Standard, and Business Premium tiers. If you're on one of those plans, you can request a BAA from Microsoft and bring Copilot into your HIPAA compliance program, provided you've also configured your tenant's data governance settings correctly.

The consumer-facing products are a different story entirely. Copilot at copilot.microsoft.com, the Copilot app on iOS and Android outside of a managed enterprise tenant, and Bing's integrated Copilot features are not covered under any Microsoft BAA. If a staff member uses one of those to summarize a patient note or draft a referral letter, that's a potential HIPAA violation, full stop.

Even on a compliant enterprise plan, 'HIPAA compliant' doesn't mean 'automatically safe.' You still need to restrict which users can interact with Copilot, ensure audit logging is active, and verify that Microsoft Purview data controls are in place. The BAA creates the legal framework. Your configuration enforces it.

When the answer changes

If your organization uses Microsoft 365 Copilot through a third-party reseller or managed service provider, the BAA chain matters. Your MSP may or may not have passed through the required BAA terms. You need to verify that in writing, not assume it.

Microsoft also updates its BAA-covered services list periodically. A Copilot feature that wasn't covered six months ago might be covered now, and vice versa after a product restructure. The only reliable source is Microsoft's current HIPAA implementation guide and the services addendum attached to your actual BAA. Don't rely on blog posts, including this one, as your compliance documentation.