Most medical practices in the United States run on Microsoft 365. Most of them are not HIPAA-compliant out of the box.
The gap is wider than people realize, and the 2026 HIPAA Security Rule update raises the stakes again — penalties now reach $2.19 million per violation category, and the Office for Civil Rights is enforcing 31% more aggressively year over year.
This guide is the actual configuration punch list a small or mid-size practice needs to make M365 HIPAA-compliant. Written from the perspective of an IT partner that has set up Microsoft 365 for healthcare clients across HIPAA, SOC 2, and FedRAMP environments.
What you’ll get from this guide
| Section | What’s covered |
|---|---|
| Why M365 alone isn’t HIPAA-ready | The three things you need beyond a subscription |
| Step 1–8 | Concrete configuration steps — BAA, licensing, email, mobile, sharing, logging, Teams, backup |
| Common mistakes | Eight findings we see in nearly every HIPAA assessment |
| What this costs | Real numbers for a 25-clinician practice |
Why “we use Microsoft 365” doesn’t mean “we’re HIPAA-compliant”
There’s a common misconception that paying for a Microsoft 365 subscription puts you in compliance. It does not.
Microsoft offers HIPAA-eligible services, but the eligibility only attaches when:
- You have signed a Business Associate Agreement (BAA) with Microsoft
- You’re on a license tier that includes the BAA-eligible services you need
- You’ve configured the security controls that the BAA assumes you’ll configure
The trap: The same M365 tenant that looks compliant on a sales demo is materially non-compliant in an OCR audit if any of those three are missing. Microsoft’s BAA explicitly requires the customer to use the security and compliance features the BAA covers — not merely have them available.
Step 1 — Sign the Business Associate Agreement
Microsoft’s BAA covers most M365 commercial services and is available at no extra cost to qualifying customers.
To request and sign:
- Sign in to the Microsoft 365 admin center
- Open Compliance → Service Trust Portal → My Library
- Add the HIPAA BAA template to your library
- Have a corporate signing officer (typically the practice owner or COO) review and counter-sign
Reality check — Most practices we onboard either don’t realize they need to sign the BAA, or signed it years ago against an old tenant or agreement number. If you can’t find evidence of a signed, current BAA in your records, treat your practice as non-compliant until you fix that.
Step 2 — Choose the right license tier
The two practical choices for HIPAA-compliant Microsoft 365 in 2026:
| Plan | Price (per user/month) | Use this when… | Don’t use this when… |
|---|---|---|---|
| Business Premium | ~$22 | Practice has fewer than ~300 users, no active OCR investigation, no advanced eDiscovery needs | You need advanced threat hunting or extended audit log retention |
| M365 E5 | ~$57 | 50+ users, multi-location, active regulator engagement, advanced eDiscovery | You’re a small office and budget matters |
| Apps for Business / Standard / Basic | varies | NEVER for HIPAA | Always |
Cost-saver tip: Business Premium + the standalone Defender for Office 365 P2 add-on works well for practices in the 50–150 user range and saves substantial cost versus full E5. We model this trade-off for every healthcare client during onboarding.
Step 3 — Lock down email security and encryption
Email is the single most common HIPAA breach vector for small practices. Phishing, accidental external sends, and forwarding to personal addresses account for the majority of OCR enforcement actions.
Defender for Office 365 anti-phishing policy
- ✅ Enable mailbox intelligence and impersonation protection on every mailbox
- ✅ Set the impersonation domain list to include your practice’s domain and any partner organizations (referrals, labs, EHR vendor domains)
- ✅ Set the user impersonation list to include your top five executives and any clinicians whose names appear on outbound communications
Safe Attachments and Safe Links
- ✅ Enable for every supported workload (Email, OneDrive, SharePoint, Teams)
- ✅ Set the dynamic delivery option for attachments — this lets users see message body while attachments scan
- ✅ Add a custom block list for known-bad domains, including any flagged by prior incident-response work
Data Loss Prevention (DLP) for HIPAA
- ✅ Use the built-in U.S. Health Insurance Act (HIPAA) Enhanced template as a starting point
- ✅ Run the policy in test mode for two weeks, review false positives, then move to enforce mode
- ✅ Configure user notifications so end users see why a send was blocked — DLP doubles as user education
Mail flow encryption
- ✅ Enable Microsoft Purview Message Encryption tenant-wide
- ✅ Add a transport rule that automatically encrypts outbound messages containing detected PHI patterns
- ✅ Set rules to require encryption for messages destined to specific external organizations (your billing service, malpractice insurer, etc.)
Step 4 — Mobile device management with Intune
Most clinicians read email on phones. If you don’t manage those phones, you don’t control your PHI.
| Control | Setting |
|---|---|
| Enrollment | Required for any device that accesses corporate email |
| Minimum OS | iOS 17+ / Android 13+ (as of this writing) |
| Encryption | Required (default on modern phones) |
| PIN / biometric | 6-character minimum, auto-wipe after 10 failed attempts |
| Jailbreak / root | Block |
| BYOD | App Protection Policies — keep practice data inside Outlook, OneDrive, Teams app containers |
| Copy-paste | Block from corporate apps to personal apps |
The biggest mistake practices make: allowing email on unmanaged devices and trusting “we’ll just tell people not to forward.” OCR auditors do not accept verbal policy as a control.
Step 5 — SharePoint and OneDrive sharing controls
By default, SharePoint and OneDrive allow users to share files with anyone, including external email addresses, with optional anonymous links. For PHI, you have to dial this in.
Tenant-level:
- Set tenant-wide sharing to “Existing guests only” or “Only people in your organization”
- Disable anonymous links across the tenant
- Set link expiration default to 30 days for any external sharing
- Block users from re-sharing externally
Per-site:
- For any site that touches PHI (patient records, billing): set to “Only people in your organization”
- Run a one-time audit of every existing share link in your tenant
What we’ve found: Practices with 3-year-old guest access to old patient lists nobody remembers granting. This is one of the easiest OCR findings to avoid and one of the most common we see during assessments.
🛑 Mid-guide reality check
If you’ve read this far and your practice doesn’t yet have a current BAA, the right license tier, and DLP configured — you are operating at material HIPAA risk every day. The remaining steps are important, but those three are blocking. Schedule a free 30-minute HIPAA review →
Step 6 — Audit logging and retention
The HIPAA Security Rule requires audit controls. The 2026 update tightens the language around what counts as adequate logging.
- ✅ Enable unified audit logging at the tenant level (still off by default in some older tenants)
- ✅ Configure audit log retention to at least 1 year on E3 / Business Premium
- ✅ Configure 10-year retention on E5 (the practical reason E5 wins for highly regulated practices)
- ✅ Enable mailbox audit logging for all mailboxes including admin, owner, and delegate actions
- ✅ Set up audit log search alerts for suspicious patterns: bulk file downloads, large mailbox exports, role escalations, sharing policy changes
If your practice ever has a breach event or an OCR investigation, the audit logs are the evidence your IT partner will be asked to produce. If you don’t have them, you don’t have a defense.
Step 7 — Teams compliance
Clinical conversations now happen in Teams. The defaults need adjustment.
| Setting | Recommendation |
|---|---|
| External messaging | Disable unless your practice specifically needs it |
| Information barriers | Configure to prevent communication between groups that shouldn’t share PHI (e.g., front-office vs full clinical staff) |
| Meeting recording | Set who can record by default to off, opt-in per meeting |
| Transcription | Off for clinical meetings unless storage and retention implications are assessed |
| Chat retention | 6 years to align with HIPAA retention rules (default is forever) |
Step 8 — Backup and retention
Microsoft 365’s native data retention is not a backup. Microsoft preserves some data per your retention policies, but if a user deletes a critical email or ransomware encrypts a SharePoint site, native M365 alone won’t get you back to a clean state.
For a HIPAA practice we recommend:
- ✅ A third-party Microsoft 365 backup (Veeam Data Cloud, Datto SaaS Protection, AvePoint Cloud Backup)
- ✅ Daily backup of mailboxes, OneDrive, SharePoint, and Teams
- ✅ Retention of at least 6 years for mailboxes with point-in-time restore
- ✅ Backup encryption at rest with customer-controlled keys
- ✅ Quarterly restore tests — yes, actually run them
The 8 mistakes we see in nearly every HIPAA assessment
- ❌ No signed BAA, or one signed against an old tenant
- ❌ Wrong license tier — Business Standard pretending to be HIPAA-compliant
- ❌ Audit logging off
- ❌ External sharing wide open, including anonymous links
- ❌ Personal phones reading email with no Intune enrollment
- ❌ No DLP policy, or DLP stuck in “test” mode for two years
- ❌ No third-party backup, on the assumption Microsoft handles it
- ❌ Admin accounts without MFA (rare now, but still happens)
Each is a finding in any structured HIPAA assessment. Each is also fixable in days, not months, with the right partner.
What this costs
A reasonable budget for getting a 25-clinician practice onto a fully configured, HIPAA-compliant Microsoft 365 stack:
| Line item | Cost |
|---|---|
| M365 Business Premium (25 × $22) | $550/mo ($6,600/yr) |
| Defender for Office 365 P2 add-on (25 × $1.25) | $31/mo |
| Third-party M365 backup (25 × ~$4) | $100/mo |
| Initial setup & configuration project (one-time) | $5,000 – $12,000 |
| Ongoing managed services (patching, monitoring, IR, quarterly reviews) | $150 – $250 per user/month all-in |
If those numbers are a stretch, the answer isn’t to skip the controls. It’s to scope the practice’s IT spend more carefully. Practices that operate without these controls usually pay more in breach response, OCR penalties, and lost patient trust than the controls would have cost.
Where to start if you’re behind
If you read this list and realized your practice is non-compliant on five of these eight areas, you’re not unusual. You also don’t need to fix everything in a week.
The right first step is a structured HIPAA IT assessment that documents:
- Where you stand today
- Your highest-risk gaps (top 3–5)
- A 60-day remediation plan with realistic effort estimates
ACS offers a free initial HIPAA IT assessment for medical practices. We map your current Microsoft 365 configuration against the 2026 HIPAA Security Rule, identify the top three to five risks, and give you a prioritized remediation roadmap. No sales pressure, no contract required.
Request your free assessment →
Or call 1-650-300-7557.
About the author
Atlantic Computer Systems is a national managed IT and cybersecurity provider with deep specialization in HIPAA-regulated practices. We’ve configured and managed Microsoft 365 environments for medical, legal, and financial-services clients since 2016. Our healthcare practice spans HIPAA, HITECH, and the 2026 Security Rule update.
Related reading
- HIPAA IT Compliance Guide for Medical Practices
- HIPAA Compliance Checklist for Small Medical Practices
- 2026 HIPAA Security Rule Changes & Compliance Deadline
This article reflects current Microsoft licensing and HIPAA Security Rule guidance as of the publication date. Microsoft licensing terms and feature availability can change; verify the current state of any control before relying on it for a compliance audit.
