Critical issue? Call (205) 418-3800
Evolv IT

AI

Is Microsoft Copilot HIPAA compliant?

Last updated: July 13, 2026 · By Daniel, CEO

Microsoft Copilot can be deployed in a HIPAA-appropriate way inside a properly configured Microsoft 365 tenant with a business associate agreement in place. But no AI product is HIPAA compliant by itself. Compliance depends on your tenant configuration, your licensing tier, your data governance, and your policies, not on the product name. And free consumer AI tools are a different story entirely: they sit outside your BAA, your tenant, and your control.

Why is "is it compliant" the wrong form of the question?

HIPAA compliance attaches to how a covered entity uses a tool, not to the tool in isolation. The same is true of email, file storage, and every other system your practice already runs. Copilot works by reading the data your tenant already holds, through the permissions your tenant already grants. If those permissions are sloppy, Copilot makes the sloppiness faster and easier to find. If they are governed, Copilot inherits the governance.

So the honest question is not whether Copilot is compliant, it is whether your deployment of Copilot would survive scrutiny: is there a BAA, is access scoped correctly, is PHI labeled and protected, is usage audited, and is there a written policy staff have actually been trained on.

What does a HIPAA-appropriate Copilot deployment look like?

The BAA. Microsoft offers a business associate agreement covering eligible enterprise services. Confirming that your agreement and licensing put Copilot inside that coverage is step one, and it is a contract review task, not a settings toggle.

Tenant configuration. Copilot respects your permissions model, which means your permissions model is now the whole ballgame. Overshared SharePoint sites, stale access grants, and unlabeled PHI become discoverable in seconds. Sensitivity labels, data loss prevention, and a permissions cleanup belong before rollout, not after. This is the core of the Microsoft 365 tenant security work we do ahead of any Copilot deployment.

Governance and auditing. Microsoft Purview can log AI interactions, apply retention, and surface risky prompts through DSPM for AI. Without that layer you have no evidence of what Copilot was asked or what it returned, and evidence is what compliance reviews run on.

Policy and training. A written AI use policy that names approved tools, prohibited uses, and data categories, plus training that staff sign. Regulators and cyber insurers both ask for these documents now.

What about the licensing tier?

Governance capability is tied to licensing. The controls that make an AI deployment defensible, Purview auditing, DSPM for AI, sensitivity labeling at scale, sit in the higher enterprise tiers, and Microsoft's July 2026 licensing changes reshaped how they are packaged. Paying for a tier whose governance features you never configure is as common a failure as not licensing them at all. The right sequence is to decide what controls PHI requires, then license to that, then configure what you licensed.

Why are consumer AI tools a different story?

A free chatbot account belongs to the employee, not the practice. There is no BAA, no tenant boundary, no audit log you can produce, and no way to retrieve or delete PHI once pasted. That is not a configuration gap, it is an unauthorized disclosure risk. Most practices discover this usage is already happening, because none of it shows up in normal IT reporting. An anonymous AI Shadow Survey is the fastest way to find out what your team is actually using before you write policy around it.

Does Microsoft sign a BAA that covers Copilot?
Microsoft offers a business associate agreement covering eligible Microsoft 365 enterprise services for covered entities and business associates. Whether your Copilot deployment falls under it depends on your agreement, your licensing, and how the tenant is configured, which is why the BAA is the starting point of a HIPAA-appropriate deployment, not the finish line.
Is the free or personal version of Copilot HIPAA appropriate?
No. Consumer AI accounts sit outside your tenant, outside your BAA, and outside your controls. PHI entered into a personal AI account is PHI that has left your governance entirely. HIPAA-appropriate use of AI runs through enterprise deployments inside a governed tenant.
What does a HIPAA-appropriate Copilot deployment actually require?
A BAA in place, appropriate enterprise licensing, sensitivity labeling and data loss prevention so Copilot inherits your permissions model correctly, Purview auditing of AI interactions, a written AI use policy, and staff training. The gaps are almost always in configuration and governance, not in the product.

Free and Anonymous

Find out what AI is already in use at your practice.

The AI Shadow Survey takes your team under five minutes and names no names. Measure first, then govern.