Question 1

Does Microsoft 365 cover HIPAA? Is there a Business Associate Agreement?

Accepted Answer

Yes. Microsoft offers a HIPAA Business Associate Agreement that is automatically incorporated into the Microsoft Online Services Data Protection Addendum for Microsoft 365 Business Premium, E3, E5, and CSP-channel licenses. Coverage includes Exchange Online, SharePoint, OneDrive, Teams, Defender for Office 365, Entra ID, Purview, Intune, and as of 2025 both Microsoft 365 Copilot and Copilot Chat. Consumer Copilot (copilot.microsoft.com) is NOT in scope.

Question 2

Is Microsoft 365 Copilot HIPAA-compliant for clinical use?

Accepted Answer

Microsoft 365 Copilot and Copilot Chat support HIPAA compliance under the Microsoft BAA when properly configured. Guardian configures the prerequisite governance: Purview DLP for PHI, sensitivity labels on patient records, audit logging, and scoped permissions. The consumer Copilot at copilot.microsoft.com and Copilot in Windows are NOT covered. ABT configures only the BAA-covered surfaces in your tenant.

Question 3

Why should I buy Microsoft 365 licenses through ABT instead of directly from Microsoft?

Accepted Answer

ABT is a Tier 1 Microsoft Cloud Solution Provider. We sell the same Microsoft 365 licenses at the same price as Microsoft. The difference is configuration. Licenses purchased through ABT come with Guardian Essentials, which applies HIPAA-aligned hardening that Microsoft does not enable by default. There is no markup. ABT earns its margin from Microsoft as a Tier-1 CSP partner.

Question 4

Is Microsoft 365 secure out of the box for a healthcare practice?

Accepted Answer

Microsoft secures the cloud infrastructure, but you are responsible for securing identities, devices, and PHI inside your tenant. Default settings prioritize ease of access, not HIPAA Security Rule compliance. Guardian closes that configuration gap with MFA, Conditional Access, device compliance, Purview DLP for PHI, and email authentication tuned for healthcare workflows.

Question 5

What is the HIPAA Security Rule NPRM and how does it affect us?

Accepted Answer

HHS proposed major HIPAA Security Rule updates in December 2024, expected to be finalized in 2026. Key changes: encryption mandatory at rest and in transit, MFA mandatory for all ePHI access, annual penetration testing, six-month vulnerability scans, continuous asset inventory, and 72-hour incident notification. Guardian already operates to this standard, so most ABT clients need no scramble when the final rule lands.

Question 6

What does OCR actually look for in a HIPAA audit?

Accepted Answer

OCR's 2025-2026 settlement pattern is consistent: inadequate risk analysis was cited in nearly every major fine (BayCare $800K, Assured Imaging $375K, Axia Women's Health $320K, Star Group $245K). Guardian's continuous monitoring IS automated risk analysis. We document control coverage continuously, not once a year before an audit.

Question 7

How does Guardian improve my Microsoft Secure Score?

Accepted Answer

ABT runs a 90-day hardening sprint configuring Conditional Access, MFA, Intune compliance, email authentication, Purview DLP for PHI, and sharing restrictions. Most healthcare practices start in the 30 to 40 percent range. After hardening, ABT clients average 93 percent. Guardian then monitors for drift so your score stays high between audits.

Question 8

What is the difference between Guardian plans?

Accepted Answer

All plans include the hardened Microsoft 365 Business Premium foundation. The difference is how much operational responsibility shifts from your team to ABT. Guardian Essentials is self-managed with hardened baselines. Guardian Core adds monitoring and device management. Guardian Pro adds advanced automation, Entra ID P2, and Tokenator. Guardian Advanced provides 24/7 managed detection and response. Most regulated healthcare practices choose Pro.

Question 9

Does ABT offer non-profit pricing for healthcare 501(c)(3) organizations?

Accepted Answer

Yes. ABT offers non-profit pricing on Microsoft 365 + Guardian for qualifying 501(c)(3) healthcare organizations — pregnancy resource centers, community clinics, FQHCs, free clinics, faith-based health ministries, behavioral health non-profits, and similar tax-exempt healthcare organizations. Mention your tax-exempt status when you reach out and we will quote at non-profit rates.

Question 10

What about state laws beyond HIPAA?

Accepted Answer

Multi-state operators face an overlay: California CMIA ($2,500 per patient), Texas HB 300, New York SHIELD Act, and Washington My Health My Data Act (with private right of action). Guardian tracks state-by-state requirements alongside HIPAA. We help you map controls once and satisfy multiple regulators.

Question 11

Does Guardian support Dragon Copilot for ambient clinical documentation?

Accepted Answer

Yes. ABT is an authorized CSP partner for Microsoft Dragon Copilot and provisions it under your existing Guardian tenant. Two license tiers are available: Flex (base license plus pay-as-you-go ambient AI usage) and Per-User (unlimited ambient usage). Dragon Copilot is premium-tier pricing best suited to specialty clinics, hospital-employed physicians, and high-volume practices where ambient documentation saves 1 to 2 hours per provider per day. The tenant hardening Guardian provides is the HIPAA foundation Dragon Copilot needs to operate safely on PHI. Talk to a Healthcare Specialist for current pricing and to validate whether the math works for your patient volume.

Question 12

How does Guardian prevent AI from oversharing patient data?

Accepted Answer

Copilot can only access what a user can access. If SharePoint permissions or file sharing are misconfigured, AI will surface PHI to anyone who asks. Guardian uses Microsoft Purview sensitivity labels for PHI, Data Loss Prevention policies tuned for healthcare data, and external sharing controls. Tokenator revokes hijacked sessions in real time so a compromised account cannot use Copilot to exfiltrate records.

Question 13

What types of healthcare organizations use Guardian?

Accepted Answer

Physician practices (1 to 50 docs), behavioral and mental health practices, specialty clinics, dental practices, outpatient clinics, and pregnancy resource centers. Organizations that need HIPAA Security Rule compliance, OCR-ready documentation, and a partner who understands healthcare regulatory requirements. ABT has served regulated industries for 25 years across 750+ institutions.

Question 14

What is Tokenator?

Accepted Answer

Modern attacks often bypass MFA by stealing browser session tokens. Tokenator is ABT's automated response engine that detects suspicious OAuth token behavior and immediately revokes compromised sessions. Critical for healthcare because a hijacked session can search and summarize PHI much faster than a human attacker.

Question 15

Is Guardian suitable for small practices?

Accepted Answer

Yes. Guardian Essentials starts at the same price as a standard Microsoft 365 Business Premium license. Small practices get HIPAA-aligned hardened security without additional cost. As needs grow, they can step up to Core or Pro without disruption because the foundation is already in place.

AI Clinical Productivity. HIPAA-Ready. Fully Managed.

Trusted by 750+ of the Nation's Leading Lenders, Banks & Credit Unions.

Four phases. Continuous cycle. No gaps.

Every layer of your Microsoft 365 environment.

It is not theory. Hospital systems and clinical companies are deploying this stack today.

OCR auditors will ask. What will your Secure Score say?

Choose Your Foundation

From Legacy Setup to Governed AI in 90 Days

Frequently Asked Questions

Learn more about Microsoft 365 security

HIPAA-Ready in
90 Days.

Company

Useful Links

Support