Quick Answer
Dynamics 365 can support HIPAA compliance, but no software is fully HIPAA compliant out of the box. Microsoft provides everything an organization needs for HIPAA compliance, like the infrastructure, the Business Associate Agreement, and the security tooling, but configuration, access controls, policies, and ongoing governance are your organization's responsibility.
If you work in healthcare IT, have probably either asked these questions, or been asked by leadership, about every piece of software your organization evaluates: Is it HIPAA compliant? Can we store PHI in it? Will we pass an audit?
The honest answer if Dynamics 365 is HIPAA compliant – something that also applies to virtually every other cloud platform and piece of software – is “it depends on what you do with it.” HIPAA doesn't certify software. There is no stamp of approval that Microsoft or anyone else can put on a product that makes it inherently compliant. What HIPAA requires is that covered entities and their business associates handle protected health information according to specific administrative, physical, and technical safeguards – and, indeed, Dynamics 365 gives you the tools to do just that.
However, how you configure and govern those tools determines whether you're compliant. And that distinction matters, because the most expensive mistake healthcare organizations make with Microsoft products isn't choosing the wrong plan; rather, it’s assuming that signing a BAA is enough to finish the job.
In this guide, we’ll look at what Microsoft provides on its end, what your organization needs to configure and maintain to achieve compliance, and where Dynamics 365 fits into a HIPAA-compliant healthcare operation.
If you're reading this blog, you probably already have a working familiarity with HIPAA, so we won’t take too much time on this.
The key concept for evaluating any cloud platform is the shared responsibility model. Microsoft, as a business associate, is responsible for securing the underlying cloud infrastructure. Your organization, as the covered entity (or business associate using the platform), is responsible for the rest:
HIPAA's safeguards fall into three categories:
Cloud platforms like Dynamics 365 primarily address the technical category, but they can't do it alone, and they don't touch the other two at all. That part’s up to you.
Microsoft provides a Business Associate Agreement for all commercial Dynamics 365, Microsoft 365, Azure, and Power Platform plans. Unlike some vendors, you don't need to request or negotiate a separate BAA document.
It's built into the Microsoft Online Services Data Protection Addendum and takes effect automatically when your organization accepts the service agreement for an eligible plan. You can verify coverage and download the documentation from the Microsoft Service Trust Portal.
If you've ever had to chase a smaller SaaS vendor for weeks trying to get a BAA signed (or worse, discovered that a tool your team was already using for PHI didn't offer one at all) you'll appreciate how significant this is. A BAA isn't a formality; it's the legal mechanism that defines Microsoft's obligations for safeguarding PHI within its services and establishes the terms under which your organization can store and process protected health information in the platform. Without one, you cannot use the platform for PHI, period.
The fact that Microsoft includes it automatically with commercial plans removes what is often one of the more frustrating procurement bottlenecks in healthcare IT.
The BAA covers Dynamics 365, Azure, Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Power Platform (i.e., Power Apps, Power Automate, and Power BI), and Microsoft Intune, among other services. That's a broad footprint, and it means a healthcare organization running Dynamics 365 alongside Microsoft 365 for productivity has BAA coverage across most of its day-to-day tooling.
What's not covered:
That last one is an easy mistake to make. If your team installs a third-party app that connects to Dynamics 365 and touches PHI, that vendor needs its own BAA with your organization, since Microsoft's agreement doesn't extend to their code.
Microsoft's cloud services also carry HITRUST CSF certification, ISO 27001 certification, and FedRAMP authorization, which can streamline your own compliance documentation. But the critical point remains: The BAA and these certifications cover Microsoft's obligations. They do not cover yours.
Microsoft can lead the proverbial horse to water, but it’s your job to make it drink. In other words, Microsoft can secure the infrastructure all day long, but if your Dynamics 365 environment is misconfigured, your organization is the one facing an OCR investigation.
Technical controls alone don't satisfy HIPAA. You need written policies for how PHI is handled within Dynamics 365, a workforce training program that covers those policies, documented incident response procedures, and a vendor management process for any third-party integrations that access PHI through your environment. These are administrative safeguards, and auditors look for them specifically. An airtight technical configuration with no documented policies behind it is still a compliance gap.
Here are some things to make sure you’re focusing on for your Dynamics 365 deployment.
Dynamics 365 is not an EHR (Electronic Health Record) or EMR (Electronic Medical Record) and Microsoft explicitly states that it is not intended for clinical decision-making or use as a medical device. What it does well is handle the operational and relationship management side of healthcare, e.g., patient inquiries and case management through Customer Service, home health or medical device servicing through Field Service, provider and payer relationship management through Sales, and custom healthcare workflows built on Power Platform.
For organizations already running Microsoft 365, adding Dynamics 365 means your healthcare CRM, productivity tools, and compliance infrastructure all live under the same BAA and the same security framework. That's a meaningful simplification of your compliance surface area.
IES helps healthcare organizations implement Dynamics 365 in environments where HIPAA compliance is non-negotiable. From access controls and sensitivity labeling through policy documentation and workforce training, we help you build a Dynamics 365 deployment that's ready for an audit, not just a demo. Get in touch.