BLOG POST:

Is Microsoft 365 HIPAA Compliant? Guide for Therapists

June 17, 2025

If you’re running a private practice, you may consider using Microsoft 365 for client emails, scheduling appointments, and other tasks. But is Microsoft 365 HIPAA compliant? Can you use it in your practice as a mental health professional, a physical therapist, or a private practice owner?

The short answer is that Microsoft 365 can be HIPAA compliant for your practice. However, it doesn’t support HIPAA compliance automatically. You’ll need to configure it properly first to protect sensitive patient information.

Disclaimer: This article is for informational purposes only. I am not an attorney, and I am not providing legal advice. Each practice is different, and HIPAA compliance extends far beyond just Microsoft 365. Reach out to an attorney in your area to fully educate yourself on what you need to do to ensure that your practice is fully HIPAA-compliant. 

What Is HIPAA Compliance?

HIPAA compliance means safeguarding your clients’ protected health information (PHI) whenever you collect, store, share, or transmit it digitally. For therapists running their private practice, this may include more than you expect.

You typically need HIPAA-compliant systems when you’re:

  • Sending emails about client appointments or treatment plans
  • Storing client notes and session records
  • Sharing documents with other healthcare providers
  • Video calling with clients for telehealth sessions
  • Scheduling appointments online
  • Backing up client files to cloud storage
  • Collaborating with colleagues on treatment approaches
  • Including a contact form on your therapist website

Even seemingly innocent information like “Sarah canceled her Tuesday appointment” contains protected health information because it reveals that Sarah is your client.

Microsoft 365 includes tools that many therapists use daily, such as Outlook for email, OneDrive for file storage, Teams for video calls, and Microsoft Forms for contact forms or questionnaires. 

When configured correctly, these can all protect your clients’ sensitive information.

Is Microsoft 365 HIPAA Compliant for Therapists?

Microsoft 365 isn’t HIPAA compliant straight out of the box, but it can be with the right setup and agreement in place.

Microsoft offers a Business Associate Agreement (BAA) to help support your HIPAA compliance efforts. However, simply using Microsoft services doesn’t automatically make your practice HIPAA compliant.

You’re still responsible for implementing proper compliance procedures within your practice and making sure that how you use Microsoft 365 aligns with HIPAA and HITECH Act requirements.

How to Make Microsoft 365 HIPAA Compliant

Making Microsoft 365 comply with your HIPAA obligations requires a few different important steps. Here’s what you need to do.

(That said, keep in mind that these are not “blanket” steps, and your specific requirements will depend on how you run your private practice.)

1. Choose the Right Microsoft 365 Plan

Not all Microsoft 365 subscriptions support HIPAA compliance. You’ll need one of Microsoft’s business plans, such as Microsoft 365 Business Basic, Standard, or Premium. Your personal Microsoft 365 account won’t have all of the necessary compliance features.

2. Sign Microsoft’s Business Associate Agreement (BAA)

Once you have the right subscription, you’ll need to sign a Business Associate Agreement (BAA) with Microsoft. This legally requires Microsoft to protect your clients’ health information according to HIPAA standards.

The BAA is available automatically to qualifying customers, but you need to formally accept it through your admin center. Without this HIPAA Business Associate Agreement, Microsoft 365 can’t be considered compliant for your practice.

3. Configure Your Security Settings

Log in to your Microsoft 365 admin center and navigate to the Compliance Center. You’ll need to set up:

  • Data loss prevention policies to prevent the accidental sharing of client information
  • Retention policies to control how long client data is stored
  • Multi-factor authentication for everyone who accesses your Microsoft 365 account
  • Email encryption to protect client communications

Make sure that unauthorized individuals can’t access individually identifiable health information and other sensitive data. 

You can review Microsoft’s HIPAA implementation document for more guidance or consult with their support team/your attorney. 

4. Handle Your Email Encryption

Microsoft 365’s default email encryption can cause problems when sending to clients or colleagues who don’t use Microsoft email. Recipients might not be able to open your encrypted messages easily.

Many therapists solve this by routing their Microsoft 365 email through a third-party HIPAA-compliant email service that handles encryption more smoothly across different email providers.

However, it’s important to remember that email subject lines, file names, and message headers are NOT encrypted.

This means you can’t include any client information in these areas. Here’s what this looks like in practice:

  • Wrong way: “New Website Inquiry from Sarah Johnson”
  • Right way: “New Website Inquiry”

This might seem like a small detail, but it’s very important for HIPAA compliance.

5. Train Your Team

If you have staff members, everyone needs to understand how to handle client information properly. Cover topics like:

  • How to securely share client files
  • What information should never be put in regular emails
  • How to report potential security incidents
  • Why these security measures matter for your clients

Don’t assume that your VA or other team members will know how to ensure compliance, and explicitly discuss it with them. 

6. Work with a HIPAA Compliance Attorney

Consider consulting with an attorney who specializes in HIPAA compliance to make sure that your entire practice meets the requirements. 

If you’re confused about Microsoft 365 specifically, you can also contact your Microsoft services representative or reach out to support.

Are Microsoft Forms HIPAA Compliant?

Microsoft Forms can be HIPAA compliant when set up correctly. They’re considered an “in-scope service” under Microsoft’s Business Associate Agreement, which means that it’s covered by their HIPAA compliance protections.

As a brand and website designer who regularly works with therapists and private practice owners, I’ve created HIPAA-compliant contact forms using Microsoft Forms for some of my clients. 

For example, I recently worked with Rise Neuro Rehab, a physical therapy practice.

Example of a HIPAA compliant Microsoft Form.

Here’s exactly what we did to create the contact form above: 

Step 1: HIPAA Setup

First, the practice reviewed Microsoft’s HIPAA compliance documentation and made sure that their Microsoft 365 subscription included the Business Associate Agreement. If you’re not sure how to do this, you can reach out to Microsoft support.

Step 2: Create the Form

I set up the client’s Microsoft Form with the essential contact fields they needed. The key settings were:

  • Anyone can respond to the form (so potential clients can reach out)
  • Only people within their organization can view responses or edit the form
  • Form editing stays restricted to their team

In other words, you need to make sure that anyone can respond to the form, but not anyone can view the form submissions or edit the form. 

Keep the form editing capabilities within your organization.

Step 3: Email Notifications

Using Power Automate (included with Microsoft 365), I created an automated flow called “Email Notifications.” 

This flow means that there will be automatic email notifications from your contact form going straight to your email, and data will stay within the Microsoft 365 environment. 

Remember, no names (or PHI of any kind) in email subject lines!

Step 4: Website Integration

I embedded the form directly on the client’s contact page using the embed code from Microsoft Forms. You might need to play around with it a bit and preview it a few times to make sure that the contact form is centered on the page!

Learn about the different elements of a HIPAA-compliant website.

Step 5: Testing

I tested the entire system to make sure that the form submissions triggered email notifications and everything worked smoothly.

Can You Use CSS Code to Change How Microsoft 365 Contact Forms Look?

Not really. Unlike with Google Forms, Microsoft doesn’t grant the user the access that they need in order to incorporate CSS code and change the look of the form. However, you CAN still make them match your branding using basic tweaks like changing the fonts and colors. 

So this is something important to consider if the look of the contact form is very important to you! Here are more examples of HIPAA-compliant contact forms that I created for my clients:

The Vibrant Tapestry contact form.
Sage and Bloom Wellness as an example of a HIPAA compliant contact form.

Keep in mind that I was able to customize these a bit more because they’re Google Forms, not Microsoft Forms. Both are valid options for HIPAA. 

👋 If you need a HIPAA-compliant contact form, get in touch, and I can help you set it up!

FAQs

Do I Need a HIPAA Compliant Website Builder?

There’s no such thing as an inherently HIPAA-compliant website builder because HIPAA compliance depends on how you use your website, as well as proper configuration of tools, security measures, and what data you collect, not the platform itself. Virtually any website builder can potentially be used in a HIPAA-compliant way if you configure it properly and avoid collecting protected health information through non-compliant methods.

That said, I recommend Showit as the best website builder for therapists and private practice owners. It has the most creative freedom and flexibility, and it makes it easy to embed HIPAA-compliant contact forms (whether Microsoft Forms or Google Forms).

Can Office 365 Be HIPAA-Compliant?

Yes, Microsoft Office 365 (now called Microsoft 365) can be HIPAA compliant when you properly configure it. You’ll need to sign a Business Associate Agreement (BAA), set the right security settings, and train your team on HIPAA best practices. HIPAA compliance isn’t automatic, though. It’s something you need to intentionally set up and manage.

Does Microsoft 365 Include Encrypted Email?

Yes, Microsoft 365 includes email encryption, although this can create extra steps for the recipient in order to read the email. Also, email subject lines, file names, and message headers are NOT encrypted, which is why you can’t include any protected health information in these areas. In other words, don’t use subject lines like “New Website Inquiry from John Smith.” Just say “New Website Inquiry.”

So, Is Microsoft 365 HIPAA Compliant?

Yes, many private practices use Microsoft 365 in HIPAA-compliant ways. However, it requires the right setup and ongoing attention to security practices. You’ll need to sign the Business Associate Agreement (BAA) and make sure that you’re not mishandling sensitive patient information.

At Rose Benedict Design, I work with therapists and private practice owners on branding and website design, including creating HIPAA-compliant contact forms. Get in touch or learn more about my therapist design services!

About the Author:

Rose Benedict

Owner and Designer, Rose Benedict Design

Rose Benedict is a brand and website designer for therapists, creatives, artists, and service providers. Rose is also a Showit Design Partner and the owner/designer at Rose Benedict Design. She has been a designer for the past 10 years and has worked at a Fortune 15 company and top university in Columbus, Ohio. She brings both her brand/website design and technical experience to small business owners so that they can thrive and deeply connect with their ideal clients. Outside of work, Rose loves reading, pilates, gardening, and traveling (10 countries and counting!).