HIPAA BAA is included in your online service agreement https://portal.office.com/Commerce/supplements.aspx
Data Processing Terms (including the EU Standard Contractual Clauses) and the terms of Microsoft’s HIPAA Business Associate Agreement (BAA) are included in the Online Services Terms, which are incorporated into and part of your Microsoft Online Subscription Agreement.
While customers can use Office 365 and CRM Online and remain compliant with HIPAA and the HITECH Act, using Office 365 and CRM Online does not on its own achieve HIPAA compliance. Your organization also needs to ensure it has taken appropriate steps to meet HIPAA’s and the HITECH Act’s requirements, including using the Office 365 and CRM Online service appropriately and training your employees to do the same.
To assist customers with this task, Microsoft has developed HIPAA Implementation Guidance. The guidance describes concrete steps your organization should take to maintain HIPAA and HITECH Act compliance while using Office 365 and CRM Online. Office 365 and CRM Online help