Microsoft Teams HIPAA Compliance Requirements

Written by BEMO | May 29, 2026 1:00:00 PM

Quick Answer: Microsoft Teams is not HIPAA compliant by default. To use it with protected health information, you must configure specific security settings, sign a Business Associate Agreement with Microsoft, and implement technical safeguards across your Microsoft 365 environment. Without these steps, Teams use involving PHI puts you at risk of a violation.

Using Microsoft Teams in a healthcare or healthcare-adjacent setting means you are responsible for making it HIPAA compliant before any PHI touches the platform. That covers everything from chat messages and call recordings to files shared in channels.

The requirements span administrative, physical, and technical safeguards under the HIPAA Security Rule, plus a signed BAA with Microsoft before you start. This page breaks down exactly what those requirements are, where organizations typically get stuck, and what it takes to get and stay compliant.

Key Takeaways

Microsoft Teams can be used in a HIPAA-compliant way, but only after you configure the platform, sign a BAA with Microsoft, and implement the required safeguards across your environment.
The biggest challenge is that HIPAA compliance in Teams is not a one-time setup; it requires ongoing monitoring, access reviews, and policy enforcement.
Initial implementation of HIPAA controls across a Microsoft 365 environment typically takes around eight months when managed by a dedicated compliance team.
Doing this in-house requires at minimum one full-time hire at $84,000 to $132,000 per year, not counting tooling, auditor fees, or the time to build policies from scratch.
A managed compliance partner handles configuration, documentation, BAA coordination, and ongoing monitoring for approximately $4,800 per month.

What Are Microsoft Teams HIPAA Compliance Requirements?

Microsoft Teams is built on Microsoft 365, which means your HIPAA obligations extend across the entire platform, not just the Teams app itself. Microsoft will sign a BAA covering Teams under Microsoft 365, but signing that BAA is just the starting point. You still need to configure the environment correctly and maintain it over time.

HIPAA compliance for Teams is governed by four main rules from the Department of Health and Human Services (HHS):

HIPAA Rule	What It Requires in a Teams Context
Privacy Rule	Limit who can access PHI shared in Teams; establish minimum necessary use policies
Security Rule	Implement administrative, physical, and technical safeguards for ePHI in Teams
Breach Notification Rule	Detect, report, and document any unauthorized access to PHI in Teams
Omnibus Rule	Extend BAA requirements to business associates and subcontractors

Under the Security Rule specifically, HHS identifies three categories of safeguards that apply directly to how you configure and manage Teams:

Administrative Safeguards: You need a designated Security Officer, a risk analysis process, workforce training, and written policies covering how Teams may be used with PHI. This includes policies on acceptable use, access control, and incident response.

Technical Safeguards: These are the settings you actually configure inside Microsoft 365. They include multi-factor authentication through Entra ID, encryption in transit and at rest, audit logging via Microsoft Purview, automatic session timeouts, and access controls that restrict who can view or share PHI in channels and chats.

Physical Safeguards: These apply to the devices used to access Teams. Endpoint management through Microsoft Intune lets you enforce device encryption, remote wipe capabilities, and screen lock policies on any device accessing the platform.

Beyond configuration, you need a signed BAA with Microsoft before any PHI enters Teams. Microsoft offers a standard BAA through the Microsoft Online Services Terms, but you must actively accept it. It does not apply automatically.

For a broader look at what HIPAA compliance involves across your organization, the HIPAA compliance guide for businesses covers the full scope of the four rules.

Challenges Companies Face When Getting HIPAA Compliant in Teams

Most organizations underestimate how much work is involved in making Teams HIPAA-ready. The platform has dozens of configurable settings, and the wrong defaults can expose PHI without any obvious warning sign.

PHI exists in more places than expected. Chat logs, call recordings, voicemails, shared files, and meeting transcripts can all contain PHI, and each requires its own safeguards.
No internal expertise. Properly configuring Purview, Intune, Entra ID, and audit logging requires Microsoft 365 security knowledge that most IT generalists do not have at the depth HIPAA demands.
BAA management is ongoing. You need a BAA with Microsoft, but also with any third-party apps integrated into Teams, including scheduling tools, EHR integrations, and telehealth platforms.
Audit logging is not enabled by default. Unified audit logs in Microsoft 365 must be turned on and retained for the period required by HIPAA, which most organizations miss during initial setup.
Ongoing burden. Access reviews, training records, policy updates, and incident response drills do not end after initial setup. They are recurring obligations that must be documented.
Employee resistance. Enforcing MFA, restricting external sharing, and limiting guest access in Teams creates friction that employees push back on, especially in clinical environments where speed matters.

What Does It Take to Meet Microsoft Teams HIPAA Compliance Requirements?

Getting Teams to a HIPAA-compliant state involves work across several disciplines simultaneously. Configuration alone is not enough. You need documentation, training, and monitoring to back it up.

Technical Controls and Tooling

The core of Teams HIPAA compliance is your Microsoft 365 security configuration. You need MFA enforced through Entra ID Conditional Access, data loss prevention policies in Microsoft Purview to prevent PHI from being shared outside approved channels, and retention policies that meet HIPAA's six-year documentation requirement. Intune must be configured to enforce device compliance policies on every endpoint accessing Teams, including personal devices if you allow BYOD.

Documentation and Policy Development

HIPAA requires written policies covering how Teams is used, who can access PHI, and what happens when something goes wrong. You need an acceptable use policy for Teams, an incident response plan that covers Teams-specific breach scenarios, and a risk analysis that accounts for the platform as part of your broader IT environment. These documents must be updated whenever your configuration or the platform changes.

Auditor Coordination and Evidence Collection

When HHS or a third-party auditor reviews your HIPAA compliance, they will ask for evidence: audit logs, training completion records, BAA copies, risk analysis documentation, and access control records. Pulling this evidence together without a system in place is time-consuming and error-prone. A GRC platform like Drata can automate evidence collection across your Microsoft 365 environment, but someone still needs to manage it.

Staff Training and Awareness

Every person who uses Teams to communicate about patients or PHI needs HIPAA training. That training must be documented. You also need to train staff on what they cannot do in Teams, such as sharing PHI in external chats, recording calls without consent, or using personal accounts to access work channels. Security awareness platforms like KnowBe4 make this trackable and repeatable.

Ongoing Monitoring and Maintenance

Microsoft 365 updates regularly, and new Teams features can introduce new risks. You need a process to review platform changes, assess their impact on your HIPAA controls, and update your documentation accordingly. Your audit logs need to be reviewed consistently, not just when an incident occurs.

In-House vs. Managed: Approaches to HIPAA Compliance

There is no single right way to approach HIPAA compliance for Teams. The right model depends on your internal resources, timeline, and risk tolerance.

	DIY / In-House	GRC Platform Only (Drata, Vanta)	Managed Compliance Partner
Implementation	Your team builds it	Platform guides you, you do the work	Partner builds it for you
Ongoing maintenance	Your team	Your team + automation	Partner's team + automation
Auditor coordination	You manage it	Limited support	Managed end-to-end
Tech stack	You select and configure	Integrations only	Full security stack deployed
Dedicated team	Your hires ($84K-$132K+ per person)	None	Multi-role team assigned to your account
Typical timeline	12-18+ months	6-12 months	~8 months initial implementation
Starting cost	$84K-$132K+/year (one hire)	$10K-$30K/year (platform only)	~$4,800/month (full service)

The in-house path gives you full control but requires hiring people with Microsoft 365 security expertise, compliance program experience, and the bandwidth to manage both alongside your existing IT workload.

A GRC platform accelerates documentation and evidence collection but does not configure your environment or coordinate with auditors. A managed compliance partner handles the full scope, from technical configuration to policy development to ongoing monitoring.

Getting Started With HIPAA Compliance

If you are ready to move forward, here is what the process typically looks like:

Book a GAP Assessment. A compliance expert reviews your current Microsoft 365 configuration, existing policies, and BAA status against HIPAA requirements to identify where you stand and what needs to change.

Get Your Implementation Roadmap. You receive a prioritized plan covering which technical controls to configure first, what policies to write, which BAAs to obtain, and a realistic timeline for getting compliant.

Deploy Controls. Your security stack gets configured, including Entra ID, Purview, Intune, Sentinel, and audit logging. Policies are written, training is deployed, and your GRC platform is set up to track evidence.

Achieve and Maintain Compliance. Ongoing monitoring, access reviews, training tracking, and incident response support keep you compliant as your environment and the regulations evolve.

Why Choose BEMO for Microsoft Teams HIPAA Compliance

The challenges covered above, from configuring Purview correctly to managing BAAs and maintaining audit logs, require a team with deep Microsoft 365 expertise and compliance program experience working together. Most small businesses do not have that combination in-house.

BEMO is a Microsoft-centric managed compliance provider that has helped over 1,000 businesses achieve and maintain compliance since 2010. Here is what that looks like in practice:

Dedicated team assigned to your account: You get a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO working on your compliance program.
Microsoft-native security stack: BEMO configures your environment using M365, Entra ID, Purview, Sentinel, Intune, and Defender, the exact tools HIPAA technical safeguards require.
GRC automation with hands-on management: BEMO uses Drata for evidence collection and compliance tracking, with dedicated compliance engineers managing it on your behalf.
Full auditor coordination: BEMO works directly with auditors including Sensiba, A-LIGN, and Johanson Group so you are not managing that back-and-forth yourself.
BEMO is certified themselves: SOC 2 Type 2 and ISO 27001 certified, so the compliance program they build for you is the same one they operate internally.
24/7 SOC monitoring: AI reviews 100,000+ monthly logs with approximately 100 per month human-verified, giving you continuous visibility into your Teams and broader M365 environment.
Cost advantage: Starting at approximately $4,800 per month versus $84,000 to $132,000 per year for a single in-house compliance hire, before tooling and auditor fees.
Track record: 2023 Microsoft US Partner of the Year, Inc. 5000 four consecutive years, and featured by Satya Nadella at Microsoft Secure 2024 Summit.

Ready to Make Microsoft Teams HIPAA Compliant?

BEMO builds and manages your HIPAA compliance program from the ground up, including full Microsoft 365 configuration, BAA coordination, policy development, and ongoing monitoring. You focus on your business; BEMO owns the compliance outcome.

Book a meeting with BEMO to start with a GAP assessment and get a clear picture of where you stand.

Frequently Asked Questions About Microsoft Teams HIPAA Compliance Requirements

What Are the Microsoft Teams HIPAA Compliance Requirements?

Microsoft Teams HIPAA compliance requirements include signing a BAA with Microsoft, enabling MFA through Entra ID, configuring data loss prevention policies in Microsoft Purview, enabling and retaining audit logs, enforcing device compliance through Intune, and maintaining written policies covering how Teams is used with PHI. You also need ongoing staff training and a documented risk analysis that includes Teams as part of your IT environment. None of these settings are enabled by default.

Does Microsoft Sign a BAA for Teams?

Yes, Microsoft offers a BAA that covers Teams as part of the Microsoft Online Services Terms. You must actively accept this agreement before using Teams with PHI. The BAA does not automatically apply to your account, and it does not cover third-party apps integrated into Teams. Any external vendor whose app connects to your Teams environment and touches PHI also needs a separate BAA.

How Long Does It Take to Become HIPAA Compliant for Teams?

Getting your Microsoft 365 environment, including Teams, to a HIPAA-compliant state typically takes around eight months when managed by a dedicated compliance team. Doing it in-house without prior compliance infrastructure in place can take 12 to 18 months or longer. The timeline depends on your current security posture, how many policies need to be written from scratch, and how quickly your team can implement and document the required controls.

What Does a HIPAA GAP Assessment Include for Teams?

A HIPAA GAP assessment for a Teams environment reviews your current Microsoft 365 security configuration against the administrative, physical, and technical safeguard requirements of the HIPAA Security Rule. It identifies missing controls, such as disabled audit logging or absent DLP policies, and produces a prioritized remediation plan. It also checks whether you have a signed BAA with Microsoft and flags any third-party Teams integrations that may require their own BAAs. You can read more about common compliance missteps.

Can Small Businesses Realistically Achieve Teams HIPAA Compliance?

Yes, but it requires the right resources. Small businesses without a dedicated security team often struggle to configure Microsoft 365 correctly and keep up with the ongoing documentation and monitoring HIPAA requires. A managed compliance partner gives you access to a full team of specialists at a fraction of the cost of building that capability in-house.

What Happens If PHI Is Shared in Teams Without Proper Safeguards?

If PHI is shared in Teams without the required safeguards in place, you may have experienced a reportable breach under the HIPAA Breach Notification Rule. That means notifying affected individuals, reporting to HHS, and in some cases notifying the media. Civil penalties for HIPAA violations range from $100 to $50,000 per violation, with a maximum of $1.5 million per year for identical violations. Getting your Teams environment properly configured before a breach occurs is significantly less expensive than responding to one after the fact.

Why Choose a Managed Compliance Partner for Teams HIPAA Compliance?

A managed compliance partner brings Microsoft 365 security expertise, compliance program experience, and auditor relationships together in one place. Instead of hiring multiple specialists and coordinating between them, you get a single team that owns the outcome. For Teams specifically, that means your DLP policies, audit logs, Intune configurations, and BAA documentation are all built and maintained by people who do this every day, not pieced together by a generalist IT team learning as they go.

View full post