Microsoft’s Copilot Health preview brings AI deeper into one of the most sensitive data categories: personal health information.
The US-only preview lets eligible consumer Microsoft 365 subscribers connect health records and wearable data, ask about lab results, and search for care. For IT leaders, the question is where consumer AI tools end and enterprise compliance obligations begin.
What Copilot Health does
Copilot Health is available to US users 18 and older with Microsoft 365 Personal, Family, or Premium subscriptions. Microsoft says work accounts are not eligible, separating it from Microsoft 365 Copilot services sold under commercial privacy, security, and compliance commitments. That distinction matters because a recent Microsoft 365 Copilot bug processed emails marked confidential.
The product centers on health data aggregation. Microsoft’s March announcement described HealthEx connections to records from more than 50,000 US hospitals and provider organizations, Function lab-result support, Apple Health wearable support, and provider search by specialty, location, language, gender, and insurance coverage.
Microsoft says Copilot Health is not meant to diagnose, treat, or prevent disease, and is not a substitute for professional medical advice. It describes internal safety testing and physician input, but has not published external, peer-reviewed evidence of clinical accuracy or outcomes.
Why privacy and HIPAA matter
Microsoft says Copilot Health conversations are separate from the broader Copilot experience, encrypted, not used to train AI models, and not used for advertising or sold to insurers, employers, or advertisers.
HIPAA also needs careful wording. HHS says the rules generally apply to covered entities and business associates, including health care providers, health plans, clearinghouses, and their vendors. A consumer app for personal health data is not automatically a HIPAA-covered patient portal or enterprise clinical system.
The Verge reported that Microsoft does not currently have a HIPAA-compliant version of Copilot Health, which Microsoft framed as a direct-to-consumer experience.
That does not make the data low-risk. Health records, lab results, wearable metrics, symptoms, medications, and insurance details remain sensitive even outside a traditional HIPAA relationship. For employers, health systems, insurers, and benefits teams, the risk is whether users misunderstand the tool’s role or overlook broader AI threats such as prompt-injection attacks.
IT leaders should clarify whether consumer AI tools may be used with benefits documents, occupational health records, patient information, or other health files. That should sit alongside broader AI assistant governance, including access controls, audit logs, and data-layer security. Health care organizations should also expect AI-generated patient summaries or questions.
Microsoft also cites ISO/IEC 42001 certification and an external physician panel. But ISO/IEC 42001 is an AI management-system standard, not proof of real-world clinical accuracy.
Next, IT leaders should watch for independent accuracy evaluations, broader wearable integrations, expansion beyond the US, and any link to Microsoft’s clinical AI products. Until then, organizations should set health data rules before consumer AI becomes part of everyday employee or patient behavior.
Also read: Perplexity Health is testing a similar health AI model built on records, labs, wearables, and personal context.
Read the full article here
