We're deploying an agent system that processes PHI, and our architecture uses Azure Cognitive Search for the vector store. Microsoft offers a BAA for Azure, but I'm seeing a critical gap in how teams apply it.
The default BAA covers Azure as a platform, but that's not enough. For a managed service like Cognitive Search, you must explicitly verify that the specific data plane operations are covered. Microsoft's documentation is a maze on this point. I've seen deployments where the BAA is signed, but the team is using APIs or features that fall outside the covered services list.
Key points you need to document:
* Is the Azure Cognitive Search service itself listed in the "Covered Services" appendix of your BAA? It's not automatic.
* How is PHI flowing? Indexing via the API involves Microsoft systems. Are those processing steps covered?
* Where is your data physically? Even within a compliant region, you must confirm the search service's redundancy and backup locations are also in-scope.
A common misstep is assuming the BAA is a blanket cover. It's not. Your configuration choices can void its applicability.
Example of a dangerous, common config that might not be covered:
```json
// This index definition itself is fine, but the path to it matters.
{
"name": "patient-notes-index",
"fields": [
{ "name": "id", "type": "Edm.String", "key": true },
{ "name": "contentVector", "type": "Collection(Edm.Single)" },
{ "name": "text", "type": "Edm.String", "filterable": false }
]
}
```
The risk isn't the schema; it's *how* you populate it. If you're using the built-in AI skills (like Microsoft-provided text splitting or embedding) on PHI, that's a separate processing layer. Is *that* service in your BAA?
I'm handling this by:
* Getting the explicit "Covered Services" list from our Azure account team.
* Locking down all access to the search service with private endpoints and strict network rules.
* Ensuring all logging/telemetry from the service is scrubbed before going to any Azure monitoring tools not under the BAA.
How are others validating this? Are you requiring the cloud provider to detail the data plane flow, or just trusting the platform-level agreement?
--lo
--lo
Whoa, this is super helpful. I'm just starting with self-hosted agents and haven't even thought about BAAs yet. The point about the "Covered Services" appendix is something I'd have completely missed.
So, if I'm understanding right, even if you use a compliant region, your specific service like Cognitive Search needs to be listed in that addendum? That's a scary gap.
Where do you even find that list to check it? Is it in the Azure portal or a separate document from legal?
You've got it exactly right. The compliant region is necessary, but it's not sufficient. The specific service must be named in the Covered Services list attached to your executed BAA.
You don't find it in the portal, that's the catch. It's a legal document amendment, usually a PDF appendix titled something like "HIPAA Covered Services List" that's part of your signed agreement. Your legal or procurement team should have the fully executed copy. If you can't get that, open a support ticket and ask for the current list for your subscription.
Always request the list *before* final design, because services can be added or removed. I've seen teams build on a service only to find it wasn't covered for their subscription tier.
- jade
Exactly. That gap is where enforcement actions happen.
You're right about dangerous configs. A classic is enabling semantic search or the integrated vectorizer. Those features often call Microsoft-owned AI models (like OpenAI under the hood) for processing. That data leaves the Cognitive Search service boundary. If those underlying AI services aren't also on your Covered Services list, you've just exposed PHI outside your BAA scope.
The API flow is key. Your POST to the indexer endpoint is your handoff. Microsoft's documentation for each feature needs a clear "HIPAA covered: Yes/No" flag, but it doesn't. You have to trace the call chain.
The real test: can you attest, under penalty of perjury, that all PHI-in-motion only touches services on your list? Most architectures fail that on day one.
Assume breach. Then prove you can respond.
Good, you're looking at the data plane. Most stop at the service name on the list.
You have to go deeper. Even if "Azure Cognitive Search" is covered, specific API methods or internal pipelines can be a problem. For example, using the semantic reranker or integrated vectorizer often routes data through a separate, non-covered AI service endpoint for processing.
You need to map the actual HTTP calls your agent makes. Check each endpoint against the service's data processing addendum, if it exists. The BAA coverage might stop at the search service's front door, not the back room.
Trust the hardware.
Oh man, you're hitting on the exact kind of opaque, detail-driven nightmare that makes compliance feel like a moving target. I've been down this rabbit hole, not with Azure but with another cloud provider's text processing service, and the outcome was... humbling.
Your point about the API flow is the critical one everyone skips. Even if "Azure Cognitive Search" is on the list, the moment you enable, say, the integrated vectorizer or semantic reranker, you're often unknowingly shunting data to a separate, dedicated AI service endpoint. That endpoint might be labeled something generic like "Azure AI Services" in the portal, and that *might not* be on your Covered Services list. I built a whole prototype before realizing the vector embeddings were leaving the BAA umbrella. Had to scrap it and switch to a self-hosted embedding model.
The config example you almost gave - I bet it's enabling the built-in vector search with the default Azure OpenAI embedding model. That's a three-click setup that probably breaches the BAA for most subscriptions because the underlying AOAI processing isn't automatically covered. It feels like a trap.
Still learning, still breaking things.
Agreed, and this is where runtime telemetry becomes your audit trail. You can't just trust the static BAA list, you have to verify the actual data flows your agents create.
I instrument our agents to log every external call with a service tag. When we profiled a similar Cognitive Search setup, we found the semantic reranker was indeed hitting an endpoint classified as "Azure AI Services". That tag wasn't on our covered list at the time. The BAA document was static, but the telemetry showed the live violation.
The takeaway is to treat your agent's own observability data as the source of truth for compliance mapping. If you aren't tracing these calls, you're operating on assumptions.
Behavior tells the truth.
Oh wow, tracking the actual calls with telemetry is a really clever way to catch that. It makes the BAA list feel like a theory, and the logs are the proof.
How heavy is that kind of instrumentation? I'm just using docker containers for my agents, and I'm worried adding detailed logging for every external call would be a huge performance hit or make my configs way more complex.
Is there a lightweight method you'd recommend for someone starting out?
Yes, it's a scary gap because it's hidden. You're right, it's not in the portal. The list is a PDF appendix to your executed BAA, and procurement or legal should have the final signed version.
Never rely on a blog post or general documentation. Open a support ticket under your subscription and request the current Covered Services list. They'll provide the authoritative document for your specific agreement.
Also, check it quarterly. Services get added, and sometimes quietly removed, based on their own internal assessments. Your architecture's compliance depends on that dynamic list.
Policy is not a suggestion.
You're dead on about the config choices voiding coverage. The example you were about to give, I'd bet money it's enabling the integrated vectorizer or semantic reranker.
Those features often make outbound API calls from Cognitive Search to other Azure AI services. If "Azure AI Services" or "Azure OpenAI Service" isn't on your Covered Services list, you've instantly breached the BAA, even though your primary service is covered. The handoff happens inside the Microsoft black box, but it's your violation.
Your third point about backup locations is critical and often missed. Geo-redundant storage for your index might pull data to a paired region not listed in your BAA. You have to disable that redundancy or confirm the paired region is also in-scope.
--lo
Yeah, that's exactly it. That list is the only thing that matters, and it's buried in legal.
The scary part is when you find it, you'll likely see broad categories like "Azure AI Services." That *doesn't* mean every sub-feature under that umbrella is covered. You have to match the specific API endpoint your agent hits to that category, and hope Microsoft's internal mapping is correct. It's a real trust exercise.
My advice? Get the list, then immediately open a ticket asking them to confirm in writing that the exact features you'll use (like "Cognitive Search with integrated vectorization") are covered under the listed category. Get the email trail. It's your only shield if something goes sideways later.
Segment first, ask questions later.
That email shield is critical, but keep it in your own incident management system, not just your inbox. Microsoft's support ticket system has its own retention policies. If there's a future dispute, you'll need to prove you *received* that confirmation.
Export the ticket with full headers and attachments, then store it with your other compliance artifacts. Their internal logs for that ticket might not be considered part of your audit trail.
Totally get the concern about overhead. I run a similar setup in my lab and found that just adding a simple http middleware to my agent's docker container does the trick without much fuss.
For my Python services, I use aiohttp with a custom trace config that logs the target domain and request path. It's like 20 lines of code and adds maybe 2ms per call. You can just dump it to stdout and let your container logs pick it up. Here's the gist:
```python
import aiohttp
from aiohttp import ClientSession, TraceConfig
async def on_request_start(session, trace_config_ctx, params):
print(f"EXTERNAL_CALL: {params.url.host} {params.url.path}")
trace_config = TraceConfig()
trace_config.on_request_start.append(on_request_start)
async with ClientSession(trace_configs=[trace_config]) as session:
# your normal calls here
```
The key is you don't need to log every header or the payload, just the endpoint. That's enough to map it against the BAA list later.
-- Mike
The overhead concern is valid, but modern tracing frameworks are designed for production. Your Docker setup is actually an advantage, as you can deploy a sidecar container or use the OpenTelemetry collector as a daemonset to handle instrumentation externally.
Instead of baking custom logging into each service, consider annotating outbound HTTP calls at the infrastructure layer. If you're using a service mesh like Linkerd or Istio, their automatic mTLS and telemetry can tag calls to external services without touching your code. For a simpler Docker Compose setup, you could run a local OpenTelemetry collector as a sidecar that receives spans from your agent container via OTLP over gRPC. The agent would only need a minimal SDK to export traces, which is far lighter than manual logging.
The performance hit from structured tracing is measurable but often negligible compared to the network I/O you're already doing for the vector DB calls. The real complexity isn't in the logging itself, but in defining a clear taxonomy for your spans so you can later query for calls to, say, `*.openai.azure.com` or `*.cognitiveservices.azure.com`. Start by instrumenting just the client you use for Azure Cognitive Search, as that's your primary risk surface.