Microsoft 365 does not have a separate HIPAA-compliant plan, but certain Microsoft 365 or Office 365 plans include tools and features that support HIPAA compliance. Organizations that need HIPAA compliance typically use higher-tier plans that provide access to advanced security and compliance features required to protect PHI.

Here’s an overview of the relevant plans and pricing considerations:

1. Recommended Plans for HIPAA Compliance

• Microsoft 365 E3 and E5: These enterprise plans offer advanced security, compliance, and data protection features needed for HIPAA compliance.
  • E3 includes Data Loss Prevention (DLP), Microsoft Purview Information Protection (formerly Azure Information Protection), and auditing capabilities.
  • E5 includes all E3 features plus advanced threat protection, Microsoft Defender, and more extensive compliance tools.
• Microsoft 365 Business Premium: Suitable for small to medium-sized organizations, this plan includes security and compliance tools like DLP and conditional access, suitable for basic HIPAA requirements.
• Office 365 E3 and E5: These plans offer similar compliance features as Microsoft 365 but without Windows 10 and Enterprise Mobility + Security (EMS) integration.

2. Microsoft Purview Add-ons for Enhanced Compliance

Microsoft Purview is a suite of compliance tools that can be added on for organizations requiring specialized compliance capabilities. Some features might require additional licensing:

• Advanced Compliance Add-ons: Including tools like Insider Risk Management, Communication Compliance, and Advanced eDiscovery.
• Microsoft Purview Message Encryption and Advanced Audit for organizations needing extra security and auditing capabilities around PHI.

3. Microsoft Defender for Office 365

• Defender Plan 1: Provides basic threat protection.
• Defender Plan 2: Provides advanced threat protection, recommended for organizations handling sensitive data like PHI.

4. Azure Active Directory Premium P1 or P2 (for Conditional Access)

• P1 offers MFA and conditional access, which is essential for enforcing secure login.
• P2 includes advanced identity protection features, useful for managing privileged accounts and further securing access to PHI.

Pricing Estimates (Subject to Change)

• Microsoft 365 E3: Around $36 per user/month.
• Microsoft 365 E5: Around $57 per user/month.
• Microsoft 365 Business Premium: Around $22 per user/month.
• Microsoft Defender for Office 365 Plan 1: Around $2 per user/month.
• Microsoft Purview Add-ons: Priced separately based on needs.

These plans and add-ons provide flexibility depending on your organization’s needs, and Microsoft’s BAA is included at no extra cost once these services are in place. For specific pricing tailored to your organization's size and requirements, consult Microsoft sales or a licensing partner.

Document : https://servicetrust.microsoft.com/DocumentPage/1284e08b-c98d-4516-97a9-5f600ee242f0#