The Direct Answer
Microsoft Copilot is not HIPAA compliant in its consumer form. Microsoft 365 Copilot can be used for HIPAA-regulated workloads under the Business Associate Agreement (BAA) Microsoft offers eligible enterprise customers ā typically on Microsoft 365 E3/E5 and equivalent commercial plans.
The free Copilot, Copilot Pro consumer, and personal-account Copilot are not covered by a BAA and must never touch PHI. Microsoft 365 Copilot inherits the compliance boundary of your Microsoft 365 tenant, so coverage depends on an executed BAA and an eligible plan.
That is the legal layer. The question your CISO and compliance lead ask next is where Protected Health Information actually flows during inference, who controls the audit trail, and what happens if Microsoft changes terms ā and that answer differs from "we signed a BAA."
What HIPAA Actually Asks of a Tool Like Microsoft Copilot
No AI tool is "HIPAA compliant" by itself. HIPAA compliance is a property of the whole deployment ā where PHI is stored, how it moves, and whether you can prove control.
The HIPAA Security Rule requires three things that bear directly on Copilot: access controls, audit controls (a record of who accessed PHI and when), and a signed BAA with any business associate that creates, receives, or processes PHI on your behalf.
For Microsoft 365 Copilot, that means the relevant questions are whether Microsoft is contractually a business associate for the service, whether the audit trail is complete, and whether PHI processing stays inside a boundary your compliance team can attest to.
Which Microsoft Copilot Tiers Are HIPAA-Eligible
Not every Copilot is the same product. HIPAA eligibility tracks the plan and whether a BAA is in place.
| Copilot tier | BAA coverage | PHI allowed? |
|---|---|---|
| Free Copilot / consumer | None | ā No |
| Copilot Pro (consumer) | None | ā No |
| Microsoft 365 Copilot (E3/E5 + BAA) | Under Microsoft's BAA | ā With BAA in place |
Microsoft 365 Copilot is an add-on to a commercial Microsoft 365 plan. It is eligible for HIPAA workloads only when your organization has executed Microsoft's BAA and the in-scope services are covered under it.
Where PHI Lives When Microsoft 365 Copilot Processes It
Microsoft 365 Copilot grounds its answers on your tenant's Microsoft Graph data and runs inference through Azure OpenAI inside the Microsoft 365 service boundary. Microsoft states that M365 Copilot prompts and responses are not used to train the foundation models.
That is meaningfully better than pasting PHI into consumer chat. But the data still resides in Microsoft's cloud, the audit trail is Microsoft's, and your continuity depends on Microsoft's terms and model availability.
For many health systems that is acceptable. For PHI-heavy, classified, or sovereignty-sensitive workloads, the deciding factor is that the PHI never sits on infrastructure the organization itself controls ā which is exactly the gap a self-hosted platform closes.
The Cost Shape: Per-Seat Copilot vs. Usage or Owned
Microsoft 365 Copilot lists at roughly $30 per user per month, on top of the underlying Microsoft 365 license. That is a per-seat fee that scales with headcount regardless of how much each employee actually uses it.
| Organization size | Copilot @ ~$30/user/mo | Annual |
|---|---|---|
| 1,000 staff | $30,000/mo | $360,000 |
| 5,000 staff | $150,000/mo | $1,800,000 |
| ibl.ai (self-hosted) | flat license + GPU | does not scale per seat |
At 5,000 staff the per-seat bill is ~$1.8M/year whether or not most of those seats use Copilot for clinical work. A usage-priced or self-hosted platform charges for the work actually done, not the headcount.
The Self-Hosted Alternative: PHI on Infrastructure You Own
If the goal is to keep PHI on infrastructure you fully control, the alternative is a platform you own outright. ibl.ai ships as full source code you deploy in your own cloud, on-premise, or air-gapped.
PHI never leaves your environment, the audit trail is yours, and you run any model ā GPT, Claude, Gemini, or open-source ā so you are never locked to one vendor's terms. Pricing is a flat license or usage-based rather than per seat.
ibl.ai is family-owned and operated from New York, NY ā a U.S.-headquartered, domestically-owned long-term partner. For PHI-heavy health systems weighing Copilot, the question is whether a signed BAA is enough, or whether ownership of the data and the stack is the stronger posture.
Frequently Asked Questions
Is the free Microsoft Copilot HIPAA compliant?
No. Free Copilot and consumer Copilot Pro are not covered by a BAA and must not be used with PHI.
Does Microsoft sign a BAA for Copilot?
Microsoft offers a BAA covering in-scope Microsoft 365 services for eligible enterprise customers. Microsoft 365 Copilot falls under that boundary when a BAA is executed and the plan is eligible.
Is a BAA enough for HIPAA with Copilot?
A BAA satisfies the legal requirement, but it does not put PHI on infrastructure you own or hand you the audit trail. For sovereignty-sensitive workloads, a self-hosted platform closes that gap.