HIPAA BAA is included in your online service agreement https://portal.office.com/Commerce/supplements.aspx
Data Processing Terms (including the EU Standard Contractual Clauses) and the terms of Microsoft’s HIPAA Business Associate Agreement (BAA) are included in the Online Services Terms, which are incorporated into and part of your Microsoft Online Subscription Agreement.

While customers can use Office 365 and CRM Online and remain compliant with HIPAA and the HITECH Act, using Office 365 and CRM Online does not on its own achieve HIPAA compliance. Your organization also needs to ensure it has taken appropriate steps to meet HIPAA’s and the HITECH Act’s requirements, including using the Office 365 and CRM Online service appropriately and training your employees to do the same.

To assist customers with this task, Microsoft has developed HIPAA Implementation Guidance. The guidance describes concrete steps your organization should take to maintain HIPAA and HITECH Act compliance while using Office 365 and CRM Online. Office 365 and CRM Online help enable our customers HIPAA compliance, provided the customer has an adequate compliance program and internal processes in place, including those described in the HIPAA Implementation Guidance.

Customers should read the Business Associate Agreement and the HIPAA Implementation Guidance, which provide the legal guarantees and recommended requirements for using Office 365 and CRM Online with HIPAA and the HITECH Act.

Additionally, Microsoft has published a HIPAA White Paper which provides details about our approach to HIPAA and the HITECH Act.