Microsoft Forms is HIPAA compliant only when it is used as an in-scope service within an eligible Microsoft 365 or Office 365 subscription under an executed Microsoft HIPAA Business Associate Agreement, configured to meet HIPAA Security Rule administrative, physical, and technical safeguard requirements, and operated under HIPAA Privacy Rule controls that limit uses and disclosures of protected health information.
Microsoft Forms can collect patient and member information through surveys, intake questionnaires, screening tools, and internal workforce forms. Responses can include electronic protected health information when the form captures identifiers, appointment details, clinical descriptions, insurance information, or other data linked to an individual. HIPAA compliance depends on how the organization configures authentication, access permissions, sharing, retention, and downstream data handling across connected Microsoft services.
Microsoft states, “Microsoft Forms meets FERPA and BAA protection standards.” Forms can meet HIPAA obligations only when the surrounding Microsoft 365 environment applies access controls, audit controls, integrity controls, and transmission security aligned to the organization’s risk analysis and risk management process. Administrative controls must define approved use cases, permitted data elements, and workforce rules for collecting and viewing protected health information through forms. Technical controls must restrict form ownership and response access to authorized workforce members through unique user identification and appropriate authentication, and must control external sharing and link distribution that could expose responses to unauthorized parties.
A HIPAA Business Associate Agreement is required when a vendor creates, receives, maintains, or transmits protected health information on behalf of a HIPAA Covered Entity or Business Associate. Microsoft is willing to sign a HIPAA Business Associate Agreement for eligible Microsoft 365 and Office 365 services identified as covered under Microsoft’s contractual terms, and the agreement must be in place before using Microsoft-hosted services to collect, store, or transmit protected health information through Forms. Verification of in-scope services must cover the full workflow, including where responses are stored, how they are exported, and which connected services process notifications, collaboration, or automation.
Microsoft Forms can be used for HIPAA-regulated data collection when form design limits requested information to the minimum necessary for the stated purpose, free-text fields are controlled to reduce incidental disclosures, response access is restricted to authorized roles, and the organization applies retention, monitoring, and incident response procedures to form data and exports.