Does Microsoft 365 Business Premium cover HIPAA compliance?

Business Premium includes technical controls — encryption, audit logging, access management, and mobile device management — that support HIPAA compliance. Microsoft will sign a Business Associate Agreement for Business Premium accounts. However, HIPAA also requires written policies, staff training, and risk assessments that no software provides on its own.

What is the biggest compliance gap small firms typically overlook?

Backup. Microsoft 365 retention policies are not a backup. A separate solution that stores versioned copies of your data outside Microsoft's environment is required, and it is the one control most commonly missing from small firm setups.

Do we need a written security policy if we have fewer than ten employees?

Yes. Most regulated industries — law, healthcare, financial services — require written documentation of your security practices regardless of firm size. A one-to-two page policy describing who can access client data, how devices are managed, and what happens after a breach is sufficient for most regulators at this scale.

How often do compliance controls need to be reviewed?

At minimum, annually. Also review after any staff change that affects access to client data, after a security incident, or when a major software or vendor change occurs.

Can an office manager handle this without a dedicated IT person?

Most of the configuration work in Microsoft 365 Business Premium is accessible to a non-technical administrator using Microsoft's admin center. Policies, agreements, and access reviews require judgment but not technical expertise. For initial setup of Defender for Business and Intune, an outside IT partner reduces the chance of misconfiguration.

Small business compliance checklist: the minimum baseline your firm needs

You manage a small firm in a regulated industry — law, healthcare, finance, accounting. A client questionnaire has a section on encryption you are not sure how to answer. A vendor wants your security policy in writing. Your state bar or a federal agency just published new cybersecurity guidance. None of that came with instructions.

This article covers the minimum compliance controls a small US firm must have, what each one costs in time and effort, and how much of it Microsoft 365 Business Premium already handles.

Small firms in regulated industries need a defined compliance floor — not an enterprise security program. Most of that floor is already included in Microsoft 365 Business Premium. The remaining gaps require process and documentation, not additional budget.

Why compliance frameworks mislead small firms

HIPAA, NIST CSF, SOC 2, and most state privacy frameworks were written for organizations with dedicated security teams. Applied literally to a six-person firm, they produce paralysis, not protection. The practical answer is to identify the controls that actually reduce your risk and satisfy regulators, then table the rest until your firm grows into it.

The checklist below is that answer. Each item carries an effort rating: Low (a setting or a one-time click), Medium (an hour to an afternoon), or Ongoing (a recurring habit).

The baseline checklist

Identity and access

Multi-factor authentication on every account. Effort: Low. Enable it with a single policy in the Microsoft 365 admin center. No exceptions for owners or senior staff — attackers specifically target high-permission accounts.
Block legacy authentication protocols. Effort: Low. A conditional access policy in Azure Active Directory closes this gap. Legacy protocols can bypass MFA entirely, which makes this step non-optional.
Least-privilege access. Effort: Medium. Staff should access only what their job requires. Review your admin roles — most people do not need global admin, and that designation should be limited to one or two accounts at most.

Devices

Endpoint protection on every work device. Effort: Medium (initial setup). Microsoft Defender for Business, included in Business Premium, provides antivirus, endpoint detection, and response across Windows, Mac, iOS, and Android.
Device management policy. Effort: Medium. Microsoft Intune, also included, lets you enforce disk encryption, screen lock, and remote wipe on every device that touches client data. Enroll every device — including personal phones used for work email.

Email and data

Email filtering. Effort: Low. Microsoft Defender for Office 365 Plan 1, included in Business Premium, blocks phishing attempts, malware attachments, and sender impersonation before they reach inboxes.
Encryption at rest and in transit. Effort: Low. Business Premium encrypts data stored in OneDrive, SharePoint, and Exchange by default. Verify that no administrator has disabled these settings.
Sensitivity labels on confidential files. Effort: Medium. Azure Information Protection Plan 1 is included in Business Premium. Apply labels to client files, financial records, and anything covered by HIPAA or attorney-client privilege. Labels travel with the file, not just the folder.

Backup and recovery

Offsite backup. Effort: Medium (setup), Ongoing (verification). Microsoft 365 retention policies are not a backup. A separate backup solution — one that stores versioned copies of your data outside Microsoft's environment — is required. This is the one item on this checklist that Business Premium does not cover, and the one most commonly missing from small firm environments.

Policies and agreements

Written information security policy. Effort: Medium. One to two pages. Who can access client data, how devices are managed, what happens if something goes wrong. Most regulators ask to see this. Write it once, update it annually.
Incident response plan. Effort: Medium. A short document: who you call, what you preserve, and who notifies clients or regulators. State breach notification laws impose deadlines, so this plan must exist before you need it.
Business associate agreements or data processing agreements. Effort: Low to Medium. If you handle protected health information, every vendor that touches that data needs a signed BAA. Microsoft provides a BAA for Business Premium accounts. Audit your other vendors.

What Business Premium already does for you

Business Premium includes MFA enforcement, conditional access, Defender for Business endpoint protection, Defender for Office 365 Plan 1 email filtering, Microsoft Intune device management, and Azure Information Protection Plan 1 — all under a single per-user monthly license designed for firms under 300 users. For a small firm, this single license tier covers the majority of technical controls on this checklist.

If you are already paying for Business Premium and have not configured these features, your biggest compliance problem is not budget — it is configuration.

What no software can do for you

No platform writes your policies, trains your staff to recognize a phishing email, or decides who gets access to which client files. The non-technical items on this checklist — the written policy, the incident response plan, the access review — take an afternoon, cost nothing in software, and are the items regulators most commonly ask to see first.

Start with the documentation. Get it on paper. Then work through the Business Premium configuration in order. For most firms of this size, that full sequence takes less than a month of focused effort.