Home / Articles / Is Azure OpenAI HIPAA Compliant?

Is Azure OpenAI HIPAA Compliant? What the BAA Does and Doesn't Cover

Yes — Azure OpenAI is a HIPAA-eligible service covered by Microsoft's Business Associate Agreement, so you can legally process PHI with it. But eligible is not the same as compliant. The BAA is the legal floor; your configuration, access controls, and data flows decide the rest. Here is exactly what the BAA covers, what it doesn't, and where compliance quietly breaks.

I run Azure OpenAI on live protected health information in production — inside a revenue-cycle command center I built for a medical-billing operation — so this is not a survey of the documentation. It is what the line between "eligible" and "compliant" looks like once real claim data is flowing through the model. I'll come back to that build at the end, because it makes the abstract concrete.

Is Azure OpenAI HIPAA compliant?

It is HIPAA-eligible, which is not the same claim. Microsoft places Azure OpenAI in scope for its HIPAA Business Associate Agreement, and — unlike the consumer ChatGPT product — the service is hosted by Microsoft inside your own Azure resource, your prompts and completions are not used to train models or shared with OpenAI, and your data stays in your tenant. That gets you a service you are permitted to send PHI to. Whether the resulting deployment is compliant depends entirely on how you wire it up. (For the broader question of using any LLM with PHI, see can you use ChatGPT with PHI?)

HIPAA-eligible vs. HIPAA-compliant. Microsoft designates Azure OpenAI a HIPAA-eligible service, meaning it is covered by the company's HIPAA Business Associate Agreement (delivered through the Microsoft Products and Services Data Protection Addendum). "Eligible" is a statement about the service and the contract — not about your deployment. "Compliant" is what your configuration, access controls, and data flows make it. The BAA is necessary; on its own it is never sufficient.

How do you get the Microsoft BAA for Azure OpenAI?

For most organizations, you already have it. Microsoft's HIPAA BAA is delivered by default through the Microsoft Products and Services Data Protection Addendum (the DPA) for customers on eligible volume-licensing agreements — an Enterprise Agreement, a Microsoft Customer Agreement, or a Cloud Solution Provider agreement. You do not sign a separate BAA for each service, and you do not negotiate a bespoke one to turn on Azure OpenAI. Two things are still worth doing before any PHI moves: confirm your agreement actually carries the BAA (a pure consumer or trial arrangement may not), and confirm the specific Azure OpenAI feature you intend to use is inside the HIPAA-eligible scope rather than a preview capability that isn't.

What does the BAA cover — and what doesn't it?

The BAA covers Microsoft's obligations for the PHI the service processes. It does not reach into your deployment and configure it for you. Everything on the right side of this table is yours, and it is where audits actually find problems.

Covered by the Microsoft BAA (Microsoft's obligation)Your responsibility (outside the BAA)
Safeguarding the PHI Azure OpenAI processes on your behalf, per the Security RuleIdentity and access control — Entra ID, role-based access, MFA, Conditional Access
Encryption of data in transit and at rest within the serviceAudit logging of who accessed which PHI and when — append-only, reviewable
Keeping the service in HIPAA-eligible scope (generally available features)Network isolation — private endpoints, disabling public network access
Not using your prompts or completions to train models; not sharing them with OpenAIMinimum-necessary data flows — sending only the PHI the task needs
Abuse-monitoring review performed by Microsoft personnel as your business associateKeeping PHI out of your own diagnostic logs, caches, and telemetry
Microsoft's breach-notification obligations to you as the covered entity or business associateBAA coverage for every other service in the pipeline (search, storage, orchestration)

This is the shared-responsibility model applied to AI. Microsoft secures the service; you secure the deployment. The BAA is the contract that makes the first half enforceable — it does nothing about the second half, and the second half is where compliance is won or lost.

Which settings silently break compliance?

These are the ones that pass a casual review because the BAA is signed and the demo works, then surface in an audit or a breach investigation.

Does Azure OpenAI train on your data or send it to OpenAI?

No, and this is worth stating plainly because it is the fear that stops many healthcare teams before they start. Azure OpenAI runs the models inside Microsoft's Azure platform, in the resource you provision in your own tenant. Microsoft does not use your prompts or completions to train or improve its models, does not share them with OpenAI, and does not add them to any shared pool. Your inputs and outputs stay within your Azure environment. That is the architectural reason Azure OpenAI, rather than a consumer chatbot, is the default enterprise path for regulated healthcare data — the isolation is the product.

What this looks like in production (from the trenches)

Here is the build I mentioned. In a revenue-cycle command center for a medical-billing operation, two features run on Azure OpenAI, both touching PHI. The first summarizes an insurance claim's accounts-receivable status and recommends the next action, so a specialist can grasp a stalled claim in seconds instead of reading a long history. The second is the one that surprised me with how much it mattered: it takes the terse, shorthand notes specialists type while working a claim — abbreviations, half-sentences, non-native English, "pt resp bal to sec, f/u COB, lvm" — and rewrites them into clean, standardized activity-log entries that anyone can read later.

"Eligible" got us the right to build it. Everything that made it compliant was configuration, and none of it came from the BAA:

Not one of those safeguards is something Microsoft's signature provided. The BAA made the model a legal place to send claim data. The tenant boundary, the minimization, the audit trail, the no-cache posture, and the guardrail prompt are what made the deployment compliant. That is the whole lesson of this article in one system: eligible is bought, compliant is built.

Frequently asked questions

Is Azure OpenAI HIPAA compliant out of the box?

No — it is HIPAA-eligible, not automatically compliant. Microsoft covers Azure OpenAI under its Business Associate Agreement, which makes it legal to process PHI with it, but the BAA does not configure your deployment. Access control, audit logging, network isolation, minimum-necessary data flows, and keeping PHI out of your own logs are all your responsibility. Eligible is the floor; compliant is what your configuration adds.

Do you need to sign a separate BAA for Azure OpenAI?

Usually not. Microsoft's HIPAA BAA is delivered by default through the Microsoft Products and Services Data Protection Addendum for customers on eligible volume-licensing agreements — an Enterprise Agreement, a Microsoft Customer Agreement, or a Cloud Solution Provider agreement. You do not sign a new BAA per service. Confirm your agreement type carries it, and confirm the specific service is in the HIPAA-eligible scope, before any PHI flows to it.

Does Azure OpenAI train on your prompts or send them to OpenAI?

No. Azure OpenAI is hosted by Microsoft in your own Azure resource, not by OpenAI. Microsoft does not use your prompts or completions to train its models or share them with OpenAI, and your data stays within your Azure tenant. This is a core difference from the consumer ChatGPT product and one reason Azure OpenAI is a common enterprise path for regulated healthcare workloads.

Is Azure OpenAI's default abuse monitoring a HIPAA violation?

No. By default, Azure OpenAI may store prompts and completions for up to 30 days for abuse monitoring, and authorized Microsoft personnel may review flagged content — but that processing is performed by Microsoft as your business associate under the BAA, so it is not inherently a violation. Many healthcare organizations still apply for Microsoft's Limited Access Modified Abuse Monitoring, which removes human review and sets that retention to zero, to satisfy the minimum-necessary principle and reduce third-party exposure to PHI. Verify current Microsoft terms, which change.

What is the difference between HIPAA-eligible and HIPAA-compliant?

HIPAA-eligible is a property of the service and the contract: Microsoft has placed Azure OpenAI in scope for its BAA, so you are permitted to process PHI with it. HIPAA-compliant is a property of your deployment: whether your access controls, audit logging, network design, data minimization, and subprocessor coverage actually meet the Security and Privacy Rules. A vendor can only give you eligible. Compliant is earned in configuration.

Can you send patient identifiers to Azure OpenAI?

Within a signed BAA and a properly configured deployment, sending PHI to Azure OpenAI is a permitted disclosure to a business associate. But permitted is not the same as necessary. The minimum-necessary principle says send only the PHI the task actually requires — in practice that often means feeding the model operational fields and excluding direct identifiers like patient name, account number, or subscriber number when the use case does not need them.

Does the BAA cover other Azure services in your AI pipeline?

Only the ones that are individually HIPAA-eligible. A real deployment rarely uses Azure OpenAI alone — it may add search or vector indexing for retrieval, blob storage for documents, a database, and logging. Every service in the chain that touches PHI must be in the BAA's covered-services scope and configured accordingly. A compliant model endpoint feeding an out-of-scope logging sink is still a gap.

Can Azure OpenAI process PHI in images or scanned documents?

Text inputs are the clear, well-trodden path. Image and multimodal inputs are less clearly in scope by default and can also trip content filters on medical imagery, so treat them as a separate question and verify current Microsoft coverage before sending scanned records or photos containing PHI. When in doubt, extract and minimize the text first.

Deploying Azure OpenAI on regulated healthcare data?

We take it from eligible to compliant: BAA and covered-service confirmation, abuse-monitoring posture, network and access design, data minimization, audit logging, and the evaluation that proves the model behaves on your real data. Bring the workflow; leave with an architecture and an estimate the same business day.

Book a 30-minute intro call Prefer email? clayton@quantsolvent.co