Microsoft Dynamics Solutions Blog

Is Microsoft Dynamics 365 HIPAA Compliant? A Guide for Healthcare Organizations

Written by Alex Marzban | Jul 2, 2026 2:00:01 PM

Quick Answer

Dynamics 365 can support HIPAA compliance, but no software is fully HIPAA compliant out of the box. Microsoft provides everything an organization needs for HIPAA compliance, like the infrastructure, the Business Associate Agreement, and the security tooling, but configuration, access controls, policies, and ongoing governance are your organization's responsibility.

If you work in healthcare IT, have probably either asked these questions, or been asked by leadership, about every piece of software your organization evaluates: Is it HIPAA compliant? Can we store PHI in it? Will we pass an audit?

The honest answer if Dynamics 365 is HIPAA compliant – something that also applies to virtually every other cloud platform and piece of software – is “it depends on what you do with it.” HIPAA doesn't certify software. There is no stamp of approval that Microsoft or anyone else can put on a product that makes it inherently compliant. What HIPAA requires is that covered entities and their business associates handle protected health information according to specific administrative, physical, and technical safeguards – and, indeed, Dynamics 365 gives you the tools to do just that.

However, how you configure and govern those tools determines whether you're compliant. And that distinction matters, because the most expensive mistake healthcare organizations make with Microsoft products isn't choosing the wrong plan; rather, it’s assuming that signing a BAA is enough to finish the job.

In this guide, we’ll look at what Microsoft provides on its end, what your organization needs to configure and maintain to achieve compliance, and where Dynamics 365 fits into a HIPAA-compliant healthcare operation.

What HIPAA Requires

If you're reading this blog, you probably already have a working familiarity with HIPAA, so we won’t take too much time on this.

The key concept for evaluating any cloud platform is the shared responsibility model. Microsoft, as a business associate, is responsible for securing the underlying cloud infrastructure. Your organization, as the covered entity (or business associate using the platform), is responsible for the rest:

  • Configuring your infrastructure correctly
  • Controlling access to PHI
  • Implementing and enforcing policies to support HIPAA compliance
  • Training your workforce on those policies
  • Monitoring compliance on an ongoing basis

HIPAA's safeguards fall into three categories:

  • Administrative (policies, training, risk assessments)
  • Physical (facility and device security)
  • Technical (access controls, encryption, audit logging)

Cloud platforms like Dynamics 365 primarily address the technical category, but they can't do it alone, and they don't touch the other two at all. That part’s up to you.

How Microsoft Helps Achieve HIPAA Compliance

Microsoft provides a Business Associate Agreement for all commercial Dynamics 365, Microsoft 365, Azure, and Power Platform plans. Unlike some vendors, you don't need to request or negotiate a separate BAA document.

It's built into the Microsoft Online Services Data Protection Addendum and takes effect automatically when your organization accepts the service agreement for an eligible plan. You can verify coverage and download the documentation from the Microsoft Service Trust Portal.

If you've ever had to chase a smaller SaaS vendor for weeks trying to get a BAA signed (or worse, discovered that a tool your team was already using for PHI didn't offer one at all) you'll appreciate how significant this is. A BAA isn't a formality; it's the legal mechanism that defines Microsoft's obligations for safeguarding PHI within its services and establishes the terms under which your organization can store and process protected health information in the platform. Without one, you cannot use the platform for PHI, period.

The fact that Microsoft includes it automatically with commercial plans removes what is often one of the more frustrating procurement bottlenecks in healthcare IT.

What's Covered In the Microsoft BAA

The BAA covers Dynamics 365, Azure, Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Power Platform (i.e., Power Apps, Power Automate, and Power BI), and Microsoft Intune, among other services. That's a broad footprint, and it means a healthcare organization running Dynamics 365 alongside Microsoft 365 for productivity has BAA coverage across most of its day-to-day tooling.

What's not covered:

  • Consumer Microsoft accounts
  • Personal OneDrive
  • Outlook.com
  • Third-party add-ins from the marketplace

That last one is an easy mistake to make. If your team installs a third-party app that connects to Dynamics 365 and touches PHI, that vendor needs its own BAA with your organization, since Microsoft's agreement doesn't extend to their code.

Microsoft's cloud services also carry HITRUST CSF certification, ISO 27001 certification, and FedRAMP authorization, which can streamline your own compliance documentation. But the critical point remains: The BAA and these certifications cover Microsoft's obligations. They do not cover yours.

How to Make Dynamics 365 HIPAA Compliant


Microsoft can lead the proverbial horse to water, but it’s your job to make it drink. In other words, Microsoft can secure the infrastructure all day long, but if your Dynamics 365 environment is misconfigured, your organization is the one facing an OCR investigation.

Policies and Training

Technical controls alone don't satisfy HIPAA. You need written policies for how PHI is handled within Dynamics 365, a workforce training program that covers those policies, documented incident response procedures, and a vendor management process for any third-party integrations that access PHI through your environment. These are administrative safeguards, and auditors look for them specifically. An airtight technical configuration with no documented policies behind it is still a compliance gap.

Here are some things to make sure you’re focusing on for your Dynamics 365 deployment.

Access Controls and Identity

  • Enforce multi-factor authentication for every user who touches PHI
  • Configure Conditional Access policies through Microsoft Entra ID to restrict sign-ins by location, device compliance, and risk level
  • Disable legacy authentication protocols entirely, since they bypass MFA and are one of the most common vectors for unauthorized access
  • Within Dynamics 365 itself, implement role-based security so users can only see and modify the records their job function requires.

Data Protection

  • Apply sensitivity labels to records containing PHI in Dataverse
  • Configure Data Loss Prevention policies in Microsoft Purview to prevent PHI from being shared through unauthorized channels, like personal email or unapproved external apps
  • Encryption at rest and in transit is enabled by default across Microsoft's cloud services, but verify your configuration rather than assuming
  • Enable unified audit logging and set retention periods long enough to satisfy both HIPAA requirements and your organization's own compliance needs; Microsoft recommends at least one year, with seven years for high-risk environments.

Where Dynamics 365 Fits in Healthcare Operations

Dynamics 365 is not an EHR (Electronic Health Record) or EMR (Electronic Medical Record) and Microsoft explicitly states that it is not intended for clinical decision-making or use as a medical device. What it does well is handle the operational and relationship management side of healthcare, e.g., patient inquiries and case management through Customer Service, home health or medical device servicing through Field Service, provider and payer relationship management through Sales, and custom healthcare workflows built on Power Platform.

For organizations already running Microsoft 365, adding Dynamics 365 means your healthcare CRM, productivity tools, and compliance infrastructure all live under the same BAA and the same security framework. That's a meaningful simplification of your compliance surface area.

Get Started With IES

IES helps healthcare organizations implement Dynamics 365 in environments where HIPAA compliance is non-negotiable. From access controls and sensitivity labeling through policy documentation and workforce training, we help you build a Dynamics 365 deployment that's ready for an audit, not just a demo. Get in touch.

Dynamics 365 HIPAA Compliance: FAQs