Is Microsoft Copilot HIPAA Compliant? What Accounting and Healthcare Firms Need to Know

Is Microsoft Copilot HIPAA compliant?

Microsoft Copilot can be HIPAA compliant, but only under four specific conditions: you are on a qualifying Microsoft 365 enterprise plan (E3, E5, or Business Premium), Microsoft has signed a HIPAA Business Associate Agreement (BAA) with your organization, your SharePoint and M365 permissions are properly scoped, and you are using Copilot for Microsoft 365 — not the free consumer version at copilot.microsoft.com. Out of the box, Copilot is not automatically HIPAA compliant. Compliance requires deliberate configuration, not just a software license.

Does Microsoft offer a HIPAA Business Associate Agreement for Copilot?

Yes — Microsoft offers a HIPAA BAA for qualifying Microsoft 365 enterprise plans, and Copilot for M365 is covered under that BAA for enterprise customers. The BAA covers core M365 services including Exchange Online, SharePoint, OneDrive, and Teams. However, the BAA does not automatically make your deployment compliant. You still need proper data permissions, audit logging configured in Microsoft Purview, and a written staff usage policy. The BAA is the legal agreement. Compliance is the operational practice built on top of it.

Can accounting firms use Microsoft Copilot safely even if they are not subject to HIPAA?

Yes — and they should take it just as seriously. Most CPA and accounting firms are not direct HIPAA covered entities, but they handle some of the most sensitive personal data that exists: Social Security numbers, income history, business financials, estate plans. Accounting firms are subject to IRS Publication 4557 (Safeguarding Taxpayer Data), the FTC Safeguards Rule, and California CPRA for larger firms. The configuration steps for HIPAA compliance are exactly the right framework for accounting firms to apply to their own regulatory obligations.

What HIPAA Actually Requires from AI Tools

HIPAA does not have an "AI tools" section — it predates tools like Copilot by decades. But the rules still apply, and they catch organizations off guard in three specific ways.

Business Associate Agreement (BAA). If a vendor touches Protected Health Information (PHI) on your behalf, they must sign a BAA. No BAA means you are already in violation before Copilot generates a single sentence. Verify your BAA is in place — do not assume.

Data processing standards. Any system handling PHI must have documented security controls, audit trails, and access restrictions. "The AI did it" is not a defense in a HIPAA audit.

Minimum necessary standard. HIPAA requires that users only access the minimum PHI needed for their specific job function — nothing more. This is where most Copilot deployments run into trouble. Copilot surfaces information based on what a user can already access. If your M365 permissions are too broad, Copilot can expose data to employees who should not see it — a violation of the minimum necessary standard even if a BAA is in place.

Free Copilot vs. Enterprise Copilot — A Critical Distinction

This is where firms get into serious trouble without realizing it.

Copilot for Microsoft 365 (paid enterprise add-on) runs entirely within your Microsoft tenant. Your data does not leave your environment. It is not used to train Microsoft's AI models. It is covered by Microsoft's HIPAA BAA, which is available by default across commercial M365 plans — though operating it compliantly in practice requires a plan tier (Business Premium, E3, E5, or equivalent) that includes the security features those controls depend on: Microsoft Purview, sensitivity labels, and DLP.

Copilot free (copilot.microsoft.com) is a consumer product. It is not covered by Microsoft's HIPAA BAA. Data processed through the free version is handled under consumer privacy terms — which are fundamentally different from enterprise commitments. These are not interchangeable products. Using the free version with any PHI or sensitive client data is a compliance violation.

Real-world risk: a staff accountant pastes a client's name, SSN, and financial summary into the free Copilot window to draft a letter faster. That data just left your HIPAA-controlled environment. Whether or not anything bad happens downstream, this is a potential breach event — and exactly what triggers regulatory inquiry if discovered.

Why Accounting Firms Face the Same Risks as Healthcare

Most CPA firms are not HIPAA covered entities — but the compliance logic maps directly to their actual regulatory landscape. Accounting firms face:

IRS Publication 4557. Requires firms to maintain a Written Information Security Plan (WISP) and control who accesses client tax data. Copilot that can surface any client's return to any employee violates the spirit and practice of this requirement.

FTC Safeguards Rule. Treats tax preparers as financial institutions — requires encryption, access controls, and incident response plans. AI tool governance belongs in your Safeguards Rule compliance program.

California CPRA. Applies to firms doing business in California with over $26.625M in annual revenue (the threshold is inflation-adjusted; it was raised from $25M effective January 1, 2025) or handling data on 100,000+ California consumers. Many mid-size and large OC accounting firms fall under this.

The framework for managing Copilot in an accounting environment is the same regardless of which regulation applies: least-privilege access, vendor data processing agreement, audit logging, and a staff policy.

5 Steps to Configure Copilot for Regulated Data Environments

1. Confirm your M365 plan includes the required compliance tools. Microsoft's HIPAA BAA is available by default across commercial Microsoft 365 plans through the Online Services Data Protection Addendum — it is not plan-restricted. What is plan-restricted is access to the advanced compliance features needed to operate Copilot compliantly in practice: Microsoft Purview, DLP, sensitivity labels, and extended audit logging. Business Basic and M365 Apps lack these tools, which makes configuring a compliant deployment impractical. You need Business Premium, E3, E5, or equivalent to implement compliant controls. Confirm this with your IT provider before proceeding.

2. Execute the HIPAA BAA with Microsoft. Available through the Microsoft Services Trust Portal. Do not assume it is in place — verify it and keep a copy on file.

3. Audit SharePoint and OneDrive permissions. Copilot can only surface data your users can already access. If your SharePoint has accumulated "Everyone" permissions over years, run a permissions audit and reclassify before enabling Copilot broadly.

4. Deploy Microsoft Purview sensitivity labels. Classify your documents (Confidential, Highly Confidential, etc.) and configure Copilot to respect those labels. Purview can prevent Copilot from surfacing certain document classes to users without appropriate access.

5. Block the free Copilot on work devices. Use Microsoft Entra ID Conditional Access policies to prevent staff from accessing copilot.microsoft.com on work devices or accounts. Pair with a written AI usage policy explaining why and what they should use instead.

Three Risk Scenarios Accounting Firms Need to Avoid

Scenario 1: The overpermissioned SharePoint. A partner at a five-person CPA firm enables Copilot for the team. A staff accountant asks Copilot to summarize everything related to a client. Copilot surfaces a partner-only memo discussing that client's legal dispute — technically accessible in SharePoint, but never meant for staff. No breach law broken, but the firm's confidentiality obligations were violated. The fix is permissions, not Copilot.

Scenario 2: The personal account workaround. A bookkeeper frustrated with the firm's Copilot restrictions uses her personal Microsoft account on her work laptop with the free version. She pastes three client records to draft a report faster. That data is now processed under consumer terms. The firm's WISP prohibits exactly this. The employee does not know she did anything wrong.

Scenario 3: The prompt with client SSNs. A tax preparer types a prompt including a client's SSN and income figures into the free Copilot web interface to speed up a letter. The data leaves the firm's controlled environment. Even if nothing bad happens downstream, this is the type of incident that triggers regulatory inquiry if discovered during an audit.

HD Tech's AI Compliance Checklist for Accounting Firms

Before rolling out Copilot — or if you already have — verify these items:

• M365 plan confirmed at E3, E5, or Business Premium

• HIPAA BAA executed with Microsoft and copy on file

• SharePoint and OneDrive permissions audited within the last 90 days

• Microsoft Purview sensitivity labels deployed on client-facing document libraries

• Consumer Copilot blocked on work devices via Conditional Access policy

• Written AI usage policy created and distributed to all staff

• Staff trained on the difference between enterprise and free Copilot

• WISP updated to include AI tool governance section

• Copilot interaction logging enabled in Purview

• Annual review scheduled — AI governance is not a one-time setup

Get a Free Copilot Readiness Review for Your Firm

HD Tech offers a complimentary AI readiness review for accounting and professional services firms in Orange County. We will walk through your Microsoft 365 configuration, flag the gaps, and give you a plain-English action plan. Call 877-540-1684 or book your review here.

Areas Served

HD Tech is headquartered in Seal Beach, Orange County, California, supporting accounting firms, CPA practices, and professional services firms across Irvine, Newport Beach, Laguna Hills, Anaheim, and throughout Southern California, with Microsoft 365 compliance and managed IT services available nationwide.