HIPAA · Azure Cloud Compliance
Azure HIPAA Compliance
Complete Implementation Guide
Build HIPAA-compliant healthcare applications on Microsoft Azure. Learn about BAA coverage, eligible services, backup strategies, and implementation best practices.
Microsoft's HIPAA BAA is built into the Microsoft Product Terms for qualifying agreements — most Azure services are in scope for HIPAA.
45 CFR Part 164 · HHS OCR · BAA via Microsoft Product Terms · Last reviewed June 2026
Direct Answer
You can run HIPAA-regulated PHI on Microsoft Azure under the HIPAA Business Associate Agreement (BAA) that ships inside the Microsoft Product Terms, with most Azure services in scope. Under the shared responsibility model Microsoft secures the infrastructure, while you remain responsible for encryption, identity and access, audit logging, and your application — so coverage alone does not make you compliant.
Microsoft Product Terms
Azure BAA Coverage
Microsoft's BAA is included in the Online Services Terms. Most Azure services are HIPAA-eligible.
Review Online Services Terms
BAA is included in Microsoft Online Services Terms
Sign Enterprise Agreement
BAA coverage requires EA, CSP, or MOSP agreement
Enable HIPAA Services
Ensure services are HIPAA-eligible before use
Configure Compliance
Use Azure Policy for HIPAA compliance
Document Coverage
Maintain records of BAA coverage
Regular Reviews
Review compliance status quarterly
BAA Coverage
Azure HIPAA-Eligible Services
Most Azure services are HIPAA-eligible. Here are the most commonly used for healthcare applications:
Healthcare
Azure Health Data Services
FHIR, DICOM, and MedTech services for healthcare data
Storage
Azure Blob Storage
Object storage with encryption and immutability
Database
Azure SQL Database
Managed SQL with TDE and Always Encrypted
Compute
Azure Virtual Machines
Windows and Linux VMs with disk encryption
Compute
Azure Functions
Serverless compute for PHI processing
Database
Azure Cosmos DB
NoSQL database with encryption at rest
Containers
Azure Kubernetes Service
Managed Kubernetes with security controls
Security
Azure Key Vault
Key and secret management
Monitoring
Azure Monitor
Comprehensive monitoring and logging
Backup
Azure Backup
Centralized backup for VMs, databases, and files
Network
Azure Private Link
Private connectivity to Azure services
DR
Azure Site Recovery
Disaster recovery and business continuity
Note: For a complete list, visit Azure HIPAA Compliance Documentation
Data Protection
Azure HIPAA Backup Strategies
Azure offers comprehensive backup solutions for HIPAA-compliant data protection:
Azure Backup for VMs
Automated VM backups with encryption, retention policies, and geo-redundancy
SQL Database Backup
Automated backups with point-in-time restore (7-35 days)
Blob Storage Versioning
Immutable storage with legal hold and time-based retention
Azure Site Recovery
Continuous replication for disaster recovery (RPO < 5 min)
Geo-Redundant Storage
Data replicated to secondary region for high availability
Backup Vault
Centralized backup management with RBAC and encryption
Build It Right
Azure HIPAA Architecture Best Practices
Indicative Spend
Azure HIPAA Cost Estimates
Typical monthly costs for a small-to-medium healthcare application on Azure:
| Service | Estimated Cost | Usage |
|---|---|---|
| VM (D2s v3) | $70-100/month | Application server |
| SQL Database (S2) | $75-100/month | Database |
| Blob Storage (Hot) | $18/TB/month | PHI storage |
| Azure Backup | $10/instance/month | VM backup |
| Key Vault | $0.03/10k operations | Key management |
| Azure Monitor | $2.30/GB ingested | Logging |
Total Estimated Cost: $250-450/month for a basic HIPAA-compliant application. Costs vary based on usage, data volume, and backup retention.
8-Week Plan
Azure HIPAA Implementation Timeline
Week 1-2: Planning & BAA
Review BAA coverage, design architecture, select HIPAA-eligible services
Week 3-4: Infrastructure Setup
Configure VNet, set up encryption, implement Azure AD, enable logging
Week 5-6: Application Deployment
Deploy applications, configure monitoring, set up backups, test DR
Week 7-8: Security & Compliance
Security assessment, penetration testing, compliance documentation, training
Who Owns What
Azure Shared Responsibility for HIPAA
Microsoft secures the cloud; you secure what you run in it. The split below shows who owns each control for a typical PHI workload — the customer-owned rows are where most compliance gaps appear.
| Control Area | Owner | What it covers |
|---|---|---|
| Physical data-center security | Microsoft | Facilities, hardware, and global infrastructure |
| Hypervisor & host isolation | Microsoft | Virtualization layer separating tenants |
| Managed-service patching (PaaS) | Microsoft | Runtime patching for managed services (e.g. Azure SQL) |
| Encryption (customer-managed keys) | Customer | Enabling encryption at rest and in transit |
| Identity & access (Entra ID) | Customer | Conditional access, RBAC, MFA |
| Audit logging (Azure Monitor) | Customer | Enabling, retaining, and reviewing logs |
| Guest OS patching (VMs / IaaS) | Customer | Patching the OS on VMs you run |
| Application & data security | Customer | Secure code, input validation, PHI handling |
HIPAA is enforced by the US Department of Health and Human Services — see the HHS HIPAA portal for the Security Rule, and Microsoft's Azure HIPAA documentation for BAA coverage.
Frequently Asked Questions
How do I get the Azure HIPAA BAA?
Microsoft includes its HIPAA Business Associate Agreement (BAA) in the Microsoft Product Terms (formerly Online Services Terms) for customers under a qualifying volume-licensing, Enterprise Agreement, CSP, or Microsoft Online Subscription agreement. There is no separate document to sign for most customers — coverage is granted automatically, but you should confirm your agreement type and keep records of the BAA terms in force.
Is Azure HIPAA certified?
Azure is not "HIPAA certified" — HIPAA has no certification. Microsoft signs a BAA and supports HIPAA across most Azure services. Compliance is shared: Microsoft secures the infrastructure, and you are responsible for configuring services correctly and documenting your controls through a Security Risk Assessment.
Which Azure services are HIPAA-eligible?
Most Azure services are in scope, including Azure Health Data Services, Blob Storage, Azure SQL Database, Virtual Machines, Functions, Cosmos DB, AKS, Key Vault, Azure Monitor, Azure Backup, and Private Link. Coverage is broad but not universal, so confirm a specific service in Microsoft's current HIPAA documentation before placing PHI on it.
What is my responsibility under Azure's shared responsibility model?
You own security of your configuration and data: customer-managed encryption keys, Microsoft Entra ID (Azure AD) access control with conditional access, Azure Monitor audit logging, guest-OS patching on VMs, network security groups and Private Link, Azure Backup, and your application. Microsoft secures the physical infrastructure and hypervisor.
How should I back up PHI on Azure for HIPAA?
Use Azure Backup for VMs and databases with encryption and geo-redundancy, enable point-in-time restore on Azure SQL, apply immutable (WORM) policies on Blob Storage, and consider Azure Site Recovery for disaster recovery. Backups containing PHI must themselves be encrypted and access-controlled, and your retention policy should match your BAA and HIPAA requirements.
Written By Expert Auditors
Keep Exploring
Related Reading
HIPAA Cloud Compliance
Running PHI workloads on AWS, Azure and GCP compliantly.
Read moreHIPAA Knowledge Hub
Privacy Rule, Security Rule, BAAs, cloud guides and penalties.
Read moreHIPAA Security Rule
Administrative, physical and technical safeguards for ePHI.
Read moreBusiness Associate Agreements
What a BAA must contain and when you need one.
Read moreSOC 2 for Healthtech
Where SOC 2 meets HIPAA for healthcare SaaS selling into the US.
Read moreHIPAA Compliance
US health-data rules for healthtech and business associates.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours