![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 33%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFL%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 97%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
A HIPAA Business Associate Agreement (BAA) with Microsoft is available to individual Azure customers, but it is not signed through a separate, custom contract or a customer-specific BAA form.
Key points for this scenario:
- No separate BAA to sign
- There is no separate contract to sign for a HIPAA BAA with Microsoft Azure. The HIPAA BAA is incorporated by default into the Microsoft Product Terms and the Microsoft Products and Services Data Protection Addendum (DPA) for all customers who are covered entities or business associates under HIPAA.
- The Product Terms reference the DPA, which states that execution of the customer’s volume licensing agreement includes execution of the HIPAA BAA.
- Applicability to Azure Pay‑As‑You‑Go
- For Azure, the licensing agreements under which Azure is purchased incorporate the Microsoft Product Terms and the DPA. When that agreement is accepted for the subscription (including Pay‑As‑You‑Go), the HIPAA BAA terms are in effect for in‑scope services for any customer that is a covered entity or business associate under HIPAA.
- This applies even if the subscription is associated with an individual account, as long as the customer is acting as a covered entity or business associate.
- No use of customer‑authored BAAs
- Microsoft cannot use a customer’s own BAA template. The Microsoft HIPAA BAA is standardized to match how Microsoft operates its hyperscale, multitenant cloud services.
- Accessing the BAA text and related documentation
- The HIPAA BAA is available via the Microsoft Product Terms and the Microsoft Products and Services DPA. The BAA itself is also exposed via the Microsoft HIPAA BAA link.
- If access to portals such as the Service Trust Portal or specific URLs requires a work/school account, the underlying legal effect of the BAA does not depend on portal access; it is attached to the licensing agreement that governs the Azure subscription.
- Compliance responsibility
- Having the BAA in place supports HIPAA compliance but does not, by itself, make an Azure OpenAI–based solution HIPAA compliant. The customer remains responsible for configuring and operating the solution so that it aligns with HIPAA and HITECH requirements.
In practice, for an individual Pay‑As‑You‑Go Azure customer using Azure OpenAI for HIPAA‑regulated workloads, the BAA is considered executed through acceptance of the applicable Azure agreement that incorporates the Microsoft Product Terms and DPA; no additional signing step or portal action is required, even if the self‑service BAA portal cannot be accessed with a personal account.
References: