is microsoft forms hipaa-compliant

Is Microsoft Forms HIPAA-Compliant?

Microsoft Forms, a survey and data collection tool from Microsoft 365, helps users gather and analyze data. However, before using it, you must determine whether it complies with the Health Insurance Portability and Accountability Act (HIPAA).

This tool’s compliance with HIPAA is critical to ensuring the privacy and confidentiality of patient health data.

Is Microsoft Forms HIPAA-Compliant?

What Is Microsoft Forms?

Microsoft Forms provides a user-friendly interface for creating surveys, quizzes, and polls. It’s available to customers of Microsoft 365, Microsoft 365 Apps, and U.S. Government Community Cloud. The specific plans include a range of offerings, such as Office 365 A5, Microsoft 365 Business Premium, and Microsoft 365 F5.

Is Microsoft Forms HIPAA-Compliant?

Microsoft Forms is HIPAA-compliant and a suitable data collection tool for healthcare practitioners. Its Security and Privacy documentation explicitly mentions that the online survey creator complies with HIPAA. Therefore, you can safely use it to launch surveys and collect patient data.

Let’s examine the key features that make this tool a suitable data collection solution for healthcare providers:

Business Associate Agreement (BAA)

HIPAA requires covered entities and business associates to sign legal agreements demonstrating their commitment to safeguarding protected health information (PHI). Microsoft recognizes this requirement and offers a Business Associate Agreement. The BAA will attest that both Microsoft and the covered entity are committed to ensuring the security and privacy of PHI. 

Is Microsoft Forms HIPAA-Compliant?


Microsoft Forms implements strong encryption measures to ensure data privacy and security. It uses Transport Layer Security/Secure Sockets Layer (TLS/SSL), Advanced Encryption Standard (AES), and Internet Protocol Security (IPSec). Users can be assured that data at rest and in transit are protected.

Third-party certifications

Microsoft’s third-party certifications show that unbiased experts have reviewed the company’s security practices. Its services undergo audits for ISO/IEC 27001 certification and the HITRUST CSF certification. Moreover, the leading technology developer also includes FedRAMP assessments, where Azure and Microsoft Office 365 receive authoritative approvals.

Built-in resiliency and recoverability 

Microsoft 365 Data Resiliency Principles acknowledges the inevitability of challenges in software that uses cloud technology like theirs. The platform is designed to maximize reliability and minimize negative impacts on customers when issues arise. For example, security measures like active scanning and monitoring are employed to protect customer data from corruption, ensuring it is repairable and recoverable.

Is Microsoft Forms HIPAA-Compliant?

Tips to Ensure Microsoft Forms Compliance With HIPAA

Microsoft Forms provides all the security features for HIPAA compliance. However, its HIPAA compliance still largely depends on how your organization will put the federal law’s security and privacy guidelines into practice. 

Here are some tips:

  • Sign the Business Associate Agreement (BAA) – Healthcare organizations should activate the Business Associate Agreement (BAA) with Microsoft. Without a signed BAA, software that handles PHI cannot be considered HIPAA-compliant.
  • Implement access controls – Authenticate each Microsoft 365 user using multi-factor authentication. Administrators should use role-based access controls to restrict access to only authorized personnel.
  • Conduct regular HIPAA training – Educate users about HIPAA regulations and the specific guidelines for using Microsoft Forms. For instance, give best practices in ensuring that all data entered into the platform remain confidential. Regular training reduces the risk of accidental data breaches.
  • Constantly monitor usage – Track user activities within Microsoft Forms. Regularly review access logs, form submissions, and any changes to settings to promptly identify and address potential security incidents.
  • Stay informed about the latest features and updates – Stay in the know about updates and new features in Microsoft Forms and the broader Microsoft 365 ecosystem. Outdated systems could result in potential security vulnerabilities.
  • Endpoint security – Physical devices with access to Microsoft Forms and PHI should be limited to authorized personnel. Use passwords or locks for external storage, computers, and mobile phones. Moreover, use card readers, biometric scanners, and surveillance systems to monitor physical access to these devices.
  • Secure data disposal – Implement HIPAA-compliant protocols when disposing of data in Microsoft Forms. Review best practices in shredding or secure recycling to prevent unauthorized access to discarded information.
  • Emergency response – How a healthcare organization handles unexpected emergencies like natural disasters and hardware failures can significantly impact patient privacy, especially their PHI.

Ensure Patient Safety With HIPAA-Compliant Data Collection Tools 

Microsoft Forms, embedded within the Microsoft 365 suite, is a HIPAA-compliant tool for healthcare organizations. It provides a secure platform for healthcare professionals to conduct surveys and collect data while preventing potential HIPAA violations.

While Microsoft Forms is not the only HIPAA-compliant software data collection tool, it remains one of the most popular choices because of its user-friendly and secure features. However, it’s also worth looking into other online form-building tools specifically built for the healthcare industry. iFax is an excellent example.

With iFax, you can collect and manage health-related information securely and effortlessly. You can even fax the collected data online, saving you and your staff plenty of time. 

Sign up today to start creating HIPAA-compliant forms.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
Is Trello HIPAA Compliant?
Is Trello HIPAA Compliant?

Is Trello HIPAA compliant? Find out whether this Kanban-style project management tool is suitable for handling sensitive healthcare information.

Read Story
Best HIPAA-Compliant Answering Services
5 Best HIPAA-Compliant Answering Services

Here are five reputable HIPAA-compliant answering services tailored specifically for the healthcare industry.

Read Story
best hipaa-compliant phone service
5 Best HIPAA-Compliant Phone Services

Check out these five best HIPAA-compliant phone services for secure and private healthcare communications.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.