Short answer: Microsoft 365 Copilot can be used for protected health information (PHI) by HIPAA-covered entities — but only under the Microsoft HIPAA BAA, on eligible Microsoft 365 plans, and with the right tenant configuration. The free Copilot at copilot.microsoft.com (formerly Bing Chat / Copilot Pro consumer) is not BAA-eligible. "Commercial Data Protection" is a different feature than HIPAA coverage and the two are often confused. This guide explains, in 2026, what HIPAA actually requires of an AI tool, which Copilot products can be made compliant, what GCC and GCC-High change, and how to keep PHI from leaking when staff use personal Copilot accounts.

What HIPAA requires of any AI tool

HIPAA is implemented through three rules that all attach when an AI vendor processes PHI on your behalf:

Privacy Rule — defines PHI and the conditions under which it may be used or disclosed.
Security Rule — defines administrative, physical, and technical safeguards for electronic PHI (ePHI).
Breach Notification Rule — defines what counts as a breach and the timelines for reporting it.

For Microsoft to lawfully process PHI on a covered entity's behalf via Copilot, three things must be true:

Microsoft qualifies as a business associate because it creates, receives, maintains, or transmits PHI on the covered entity's behalf.
The covered entity has a signed Microsoft HIPAA BAA (the standard Microsoft Online Services BAA, available through the Microsoft 365 admin center for eligible commercial customers).
The Copilot product, in the configuration you actually use, supports the Security Rule's required safeguards.

Without a BAA, sending PHI to Copilot is an unpermitted disclosure under the Privacy Rule, no matter how mature Microsoft's underlying infrastructure is.

"Commercial Data Protection" vs. HIPAA coverage

This is the single most common point of confusion in 2026, and it has caused real breach reports.

Commercial Data Protection (CDP) — a Microsoft feature for Copilot Chat (the "Copilot" experience available via the Microsoft 365 app, copilot.microsoft.com when signed in to a commercial account, or the Copilot apps) that provides additional safeguards versus consumer use: prompts and responses are not used to train Microsoft's foundation models, are not retained by Microsoft beyond the chat session, and chat data is not visible to Microsoft. CDP is enabled when a user is signed in with an Entra ID work or school account that has CDP-eligible licensing.
HIPAA BAA coverage — the contractual extension of HIPAA obligations to Microsoft for specific Online Services. The Microsoft Online Services BAA covers a defined list of services; Copilot is included in that list when used as part of an eligible Microsoft 365 plan and configured per Microsoft's HIPAA documentation.

CDP and the HIPAA BAA are complementary but distinct. CDP can be in effect on a tenant that has not signed the HIPAA BAA — and vice versa. For PHI handling, you need both: the HIPAA BAA accepted in the tenant, and a Copilot configuration that does not export PHI outside the BAA-covered services.

Where Microsoft stands on HIPAA + Copilot in 2026

As of April 2026, the practical map of Copilot products against HIPAA looks like this:

Microsoft 365 Copilot (the licensed add-on for Microsoft 365 E3/E5/Business Standard/Premium and other eligible plans) — Covered by the Microsoft Online Services BAA when the customer has accepted it and is using Copilot within Microsoft 365 services that are HIPAA-eligible (Exchange, SharePoint, OneDrive, Teams, Word, Excel, PowerPoint, Outlook, Loop). Use is governed by Microsoft's "Data, Privacy, and Security for Microsoft 365 Copilot" and the Online Services Terms.
Copilot Chat with Commercial Data Protection — When signed in with an eligible Entra ID account, prompts are not used for training or retained beyond the session. HIPAA coverage requires the BAA on top; CDP alone is not equivalent to a BAA.
Microsoft 365 Copilot for GCC and GCC-High — Available for US Government cloud customers, with additional FedRAMP, ITAR, and CJIS controls. HIPAA-eligible under the Government Online Services BAA when the customer has accepted it. Most US federal health agencies and contractors use one of these tiers.
Copilot Studio (low-code agent builder) — Eligible for use with PHI when built on HIPAA-eligible data sources and the BAA is in place. Connector-by-connector evaluation is required; not every connector is in scope.
Azure OpenAI Service / Azure AI Foundry / Azure AI Search — Covered under the Microsoft Online Services BAA for HIPAA-eligible Azure services. These are the right surfaces for application backends that need to call GPT-4-class models on PHI.
GitHub Copilot — Has its own data-handling story focused on code and is not part of the M365 Copilot HIPAA path. It is not covered for PHI under the M365 BAA.
Free Copilot at copilot.microsoft.com (signed in with a personal Microsoft account) and Copilot Pro consumer — Not BAA-eligible. Cannot be used for PHI.

For most US health systems, the practical question is: "Is our Microsoft 365 E5 tenant under the BAA, is Copilot licensed, and is the right CDP/configuration in force for the workforce?"

What a HIPAA-aligned Copilot deployment looks like

A health system, payer, life-sciences org, or digital-health vendor that wants to use Microsoft 365 Copilot on PHI typically needs to:

Accept the Microsoft HIPAA BAA in the M365 admin center for the tenant. Confirm it covers the Online Services in use, including Copilot.
Verify Copilot licensing is in place for the relevant users, on a HIPAA-eligible plan (E3/E5/Business Premium/Frontline + Copilot, or government equivalents).
Confirm Commercial Data Protection is in effect for Copilot Chat usage — check that all relevant licenses include CDP and that admins have not disabled it.
Configure data sources. Copilot grounds its responses in tenant data via Microsoft Graph. Lock down SharePoint sites, OneDrive shares, Teams, and Outlook so Copilot cannot surface PHI to unauthorized workforce members. The "oversharing" problem is the most-reported Copilot issue in 2025–2026.
Restrict workforce access. Block consumer Copilot endpoints (copilot.microsoft.com on personal Microsoft accounts) at the network or identity layer. Force SSO through Entra ID with the work account.
Disable web grounding (Copilot's ability to query the web) for users handling PHI if the prompt could include PHI in the web query. Microsoft exposes admin policies for this.
Log access to satisfy the Security Rule's audit-control requirement. Copilot interactions are logged to Microsoft Purview audit; configure retention and review per your policy.
Train the workforce specifically on what may and may not be sent. A signed BAA does not authorize pasting any PHI — only PHI the workforce member is otherwise permitted to disclose.
Document risk assessment, BAA, configuration, and training records. HHS-OCR audits documentation, not just controls.

The two steps most organizations underestimate are #4 (oversharing) and #5 (preventing personal-account Copilot use on work devices).

The "shadow Copilot" problem

The highest-frequency HIPAA exposure in 2026 is workforce members using consumer AI tools — including the free Copilot, ChatGPT Plus, Gemini Advanced, and Claude Pro — for clinical and administrative tasks because the personal account is faster than the sanctioned workflow. KLAS and HIMSS survey data through 2025 consistently put unsanctioned generative-AI use among US clinicians above 50%.

Two technical controls help materially:

Browser-level redaction. A local-first tool such as Sonomos detects PHI categories — names, dates, MRNs, diagnoses, drug names, payer IDs — inside the browser and replaces them with reversible tokens before the prompt leaves the device. Even when staff use a non-sanctioned Copilot, ChatGPT, Claude, or Gemini account, the unmasked PHI never crosses the wire.
Egress controls for AI domains. Add copilot.microsoft.com, m365.cloud.microsoft, chat.openai.com, claude.ai, gemini.google.com, and similar destinations to your DLP and CASB rules. Treat them the same way you treat traffic to a personal cloud-storage provider.

Both controls are additive, not substitutes for a BAA. They reduce the size and severity of a leak when policy slips.

Examples: what is and is not allowed

The lines below assume a covered entity has accepted the Microsoft HIPAA BAA and licensed Microsoft 365 Copilot for the relevant users. Without that BAA, the answer to every "yes" example is "no, this is an unpermitted disclosure."

| Scenario | Compliant? | Why | | --- | --- | --- | | Clinician uses Microsoft 365 Copilot in Outlook (BAA, CDP, HIPAA settings) to summarize an email thread that includes patient PHI | Yes | Permitted disclosure to a business associate | | Same clinician opens copilot.microsoft.com on a personal Microsoft account and pastes the same thread | No | PHI to a non-BAA account | | Researcher uses Copilot in Excel (Workspace tenant, BAA) to analyze a column of de-identified clinical-trial outcomes | Yes | De-identified data is not PHI | | Researcher uses free Copilot to analyze the same data with patient initials and admission dates | No | Initials + dates remain PHI; non-BAA account | | Health-tech team calls Azure OpenAI Service from a HIPAA-configured backend under the Online Services BAA | Yes | Permitted disclosure under the M365/Azure BAA | | Front-desk staff drafts an appointment-reminder text in personal Copilot that includes patient name and visit date | No | PHI to a non-BAA account | | Same staff drafts the message with "[Patient]" placeholders in personal Copilot, then fills the name in the EHR | Yes | No PHI sent to Microsoft | | Copilot summarizes a SharePoint site that the clinician should not have access to and surfaces another patient's PHI | No (oversharing) | Underlying access controls, not Copilot, are the failure |

The pattern: keep PHI inside the BAA boundary, lock down the tenant data Copilot can ground on, and remove PHI before any prompt leaves the device for an unsanctioned tool.

How Copilot compares to ChatGPT, Claude, and Gemini for healthcare

All four major providers can be configured for HIPAA workloads under a BAA. The 2026 differences:

Workforce productivity integration. Microsoft 365 Copilot is uniquely deep inside the productivity surfaces clinicians already use (Outlook, Word, Teams, Excel, OneDrive, SharePoint). For organizations standardized on M365, this is the lowest-friction option.
Government clouds. Microsoft is the only major AI provider with mature GCC, GCC-High, and DoD cloud offerings for federal and federally regulated health work.
Default training posture. All four exclude enterprise/BAA traffic from training. Consumer Copilot, ChatGPT Plus, and Gemini Advanced have different opt-out defaults; consumer Claude is excluded by default.
Oversharing risk. Copilot's depth of integration is also its largest 2026 risk — over-permissive SharePoint and OneDrive sharing surfaces PHI to Copilot grounding for users who shouldn't see it. ChatGPT, Claude, and Gemini do not have this surface unless explicitly connected to your data.
Audit and admin controls. Microsoft Purview is the most mature audit and compliance plane of the four.

The product-level "which is more HIPAA-friendly" question matters less than the organizational question: which BAA do you already have, where does your workforce already work, and how well can you keep them inside the covered tenancy?

Frequently asked questions

Does the Microsoft HIPAA BAA cover Microsoft 365 Copilot automatically?

If your tenant has accepted the Online Services BAA and you have licensed Copilot on a HIPAA-eligible plan, Copilot use within the covered services is in scope. Confirm in the M365 admin center that the BAA is accepted and current, and that Copilot is licensed under a covered plan.

Is Commercial Data Protection enough for HIPAA?

No. CDP prevents Copilot Chat data from being used to train models or retained beyond the session, which is privacy-friendly, but it is not the same as the BAA. HIPAA requires the BAA. CDP plus the BAA is the correct posture.

Is the free Copilot at copilot.microsoft.com HIPAA compliant if I just use it for "general questions"?

If the prompts contain no PHI, HIPAA does not apply. The risk is that "general questions" routinely creep into specific cases — and free Copilot is not under a BAA. For any workforce that handles PHI, block the consumer endpoint and require sign-in to the work account.

What about Copilot for Microsoft 365 GCC, GCC-High, and DoD?

These are the right paths for US federal and federally regulated health customers. They include FedRAMP, CJIS, and ITAR controls, and are HIPAA-eligible under the Government Online Services BAA. Eligibility lists and feature parity with commercial Copilot evolve; verify the current list with your Microsoft account team.

Can Copilot accidentally surface another patient's PHI?

Yes — through the oversharing failure mode. Copilot grounds responses in the tenant data the signed-in user has access to via Microsoft Graph. If SharePoint sites or OneDrive folders are over-permissioned (very common in 2025–2026), Copilot will faithfully retrieve PHI the user can technically see but should not. Microsoft Purview, SharePoint Advanced Management, and Restricted SharePoint Search exist specifically to address this; treat them as required, not optional, for clinical workloads.

What if my staff already pasted PHI into a personal Copilot account?

Treat it as a potential breach. Investigate the account's data and retention settings, document the disclosure, and apply the Breach Notification Rule's risk-of-compromise factors. "We did not realize the tool was unsanctioned" has not been an effective defense in OCR enforcement.

How does Sonomos relate to HIPAA?

Sonomos is not a covered entity or business associate. It is a privacy layer that runs entirely in the user's browser and never receives PHI or any other data. By detecting PHI categories on-device and replacing them with reversible tokens before the prompt leaves the browser, Sonomos materially reduces the surface where PHI can leak — including to non-BAA Copilot, ChatGPT, Claude, or Gemini accounts. It is complementary to a properly executed BAA program, not a substitute for one.

A short HIPAA + Copilot checklist

Accept the Microsoft Online Services BAA in your M365 tenant.
License Microsoft 365 Copilot on a HIPAA-eligible plan for the relevant users.
Confirm Commercial Data Protection is in effect; do not assume it covers HIPAA on its own.
Lock down SharePoint, OneDrive, and Teams permissions so Copilot grounding cannot surface PHI to the wrong user. Use Microsoft Purview and SharePoint Advanced Management.
Block or proxy consumer Copilot endpoints at the network and identity layers.
Deploy a local-first redaction tool to every browser used by clinical and administrative staff.
Add AI-bound traffic to your DLP, CASB, and audit-log review.
Train staff specifically on what may and may not be sent — verify with periodic walk-throughs.
Re-assess annually; the Online Services BAA service list and Copilot feature set change frequently.

The bottom line

In 2026, "Is Microsoft Copilot HIPAA compliant?" is the wrong question. The right questions are: which Copilot product am I using, is the Online Services BAA accepted in this tenant, is the licensing on a HIPAA-eligible plan, are SharePoint and OneDrive permissions tight enough that Copilot cannot surface PHI to the wrong user, am I sure my workforce isn't on the personal Copilot account, and what happens when they slip? Get those right and Copilot becomes the most workflow-integrated option available to a US health system. Skip any one of them and you are running on luck.

Is Microsoft Copilot HIPAA Compliant? M365, GCC, and the Real Answer for 2026