🩺 HIPAA BAA VENDOR READ · OPERATOR-HONEST · NORTH COUNTY SAN DIEGO
HIPAA BAA vendor comparison 2026 · who signs · who restricts · what to expect
Mid-market healthcare-SaaS founders constantly underestimate how hard it is to actually GET signed BAAs from the SaaS vendors they're already paying. Some sign on the free tier. Some require enterprise contracts. Some refuse outright. You can't ship HIPAA compliance until your full vendor stack has BAAs in place — and the wrong stack choice means re-platforming mid-launch. Below is the operator-honest 11-vendor read · no consultant fees · no Calendly. If your specific vendor isn't covered or you're stuck on a BAA negotiation, text PJ — first hour is free.
Operator-honest tech-help · no jargon · no upsell to something you don't need.
The HIPAA BAA 11-vendor operator read
What's actually signable at your tier · what requires enterprise · what to skip
- Cloud infrastructure (AWS, GCP, Azure) — SIGNABLE but tier-gated. AWS: signs HIPAA BAA via AWS Artifact for any AWS account (free tier supported · activate BAA in console). Restricted to HIPAA-eligible services only (~120 of ~200 services qualify). EC2 + RDS + S3 + Lambda all eligible. GCP: signs via Google Workspace Admin (requires Business Standard or higher · ~$12/user/mo) OR via standalone GCP BAA at any tier. ~70 services HIPAA-eligible. Azure: signs via Microsoft Online Services Terms · auto-applies to any Azure subscription · ~140 services eligible. All three are reliable · the question is which HIPAA-eligible services you're using · not whether the BAA gets signed.
- Communication tools (Slack, Email, SMS) — DEPENDS on tier. Slack: signs BAA only on Enterprise Grid plan ($15-25/user/mo). Standard / Business+ plans DO NOT support BAAs · PHI in Slack messages = HIPAA violation. Email (Google Workspace): Business Standard ($12/user/mo) signs the BAA · Business Starter does NOT. SMS (Twilio): signs BAA on any paid account · but A2P 10DLC + custom carrier filtering may still leak PHI · use Twilio's HIPAA-certified product line (Conversations + Messaging Services). Microsoft 365: signs BAA on Business Standard ($12.50/user/mo) and above. The pattern: communication tools usually require BUSINESS-tier or higher · free/starter tiers don't sign.
- Database / data warehouse — SIGNABLE on most modern tools. Snowflake: signs BAA · requires Business Critical tier ($4/credit · ~3x Standard tier). BigQuery: covered under GCP BAA · works at any tier. Redshift: covered under AWS BAA · any tier. MongoDB Atlas: signs BAA · requires M30+ cluster tier ($0.54/hr minimum · ~$400/mo). PostgreSQL on managed providers (Heroku · Render · Neon · Supabase): VARIES dramatically · Heroku Private Spaces signs · Render Pro signs · Supabase requires Enterprise · Neon doesn't sign yet (as of 2026). Datadog / observability: Datadog signs BAA on Pro+ plans (~$15/host/mo). New Relic signs at Enterprise tier only. Sentry signs at Business tier.
- AI / LLM vendors — SHIFTING FAST · most sign in 2026. OpenAI: signs BAA via OpenAI for Enterprise (the API has a separate HIPAA-compliant deployment · request via account manager). ChatGPT consumer tier does NOT support BAAs. Anthropic: signs BAA via Claude API (enterprise sales required · ask for HIPAA-compliant deployment). Claude.ai consumer tier does NOT support BAAs. Google Gemini API: covered under GCP BAA when used via Vertex AI (NOT the consumer Gemini app). Azure OpenAI: covered under Azure BAA · easiest LLM HIPAA path for most teams already on Azure. Pattern: 2026 reality is most major LLM vendors sign BAAs at enterprise tier · but the SETUP overhead (compliance review · contract negotiation) takes 4-8 weeks · plan accordingly.
- Compliance automation tools — MOST sign BAAs themselves. Vanta: signs BAA for any paid customer · HIPAA-ready monitoring frameworks built-in. Drata: signs BAA · HIPAA framework as add-on (~$5K/yr extra). Secureframe: signs BAA · HIPAA module on all plans. Sprinto: signs BAA · HIPAA framework included. Hyperproof / Scytale / Thoropass / Scrut / Delve / TryComp: all sign BAAs for paid customers. OneTrust: signs BAA · their HIPAA module is enterprise-tier. AuditBoard / LogicGate: sign BAAs at enterprise tier. Pattern: compliance vendors HAVE to sign BAAs because their entire customer base needs them · this is the EASIEST category.
- Vendor you can't get a BAA from? Pick a different vendor. Founders often try to negotiate BAAs with vendors who don't offer them · burning 4-8 weeks of sales-cycle delay. If a vendor refuses to sign a BAA · they're not the right vendor. Period. Examples of refusers in 2026: most consumer-tier SaaS (Calendly, Zoom Free, Discord, Notion Personal, Linear Free), most marketing automation (Mailchimp Free · Klaviyo Starter), most early-stage tools. Operator-honest move: identify vendors who refuse BAAs early · replace them BEFORE you build the integration · don't try to negotiate. The replacement cost is real but smaller than the lost-deal cost when an enterprise healthcare buyer audits your stack and finds a gap.
🩺 Either I help you negotiate a BAA today, or we audit the full stack
Get the BAA picture right · first hour is free
Text PJ and you've got two operator-honest modes. Mode one: you're stuck negotiating a BAA with a specific vendor right now · or trying to identify whether their offered BAA covers your actual use case · I sit next to your CTO or compliance lead for an hour and we walk through the contract language. Mode two: the operator audit — I read your full SaaS vendor stack · identify the 5-10 vendors who need BAAs · check which actually sign at your current tier · surface the gaps · and hand you the prioritized BAA-pursuit playbook in 3-5 days.
The first hour is free. Operator-honest: if your vendor stack is fundamentally not BAA-compatible (some early-stage product stacks aren't) · I'll tell you that operator-honestly and surface the replacement options. No Calendly, no contract, no SaaS minimum. Text 858-461-8054. SideGuy is in Encinitas — North County San Diego.
