Built by PJ Zonis · SideGuy Solutions
Operator-honest, North County San Diego. No retainer, no sales call — a real human who'll tell you straight which of this you actually need.
💬 Text PJ · 858-461-8054 · 📤 Share this
Most big cloud and SaaS vendors will sign a Business Associate Agreement — but on specific plans, for specific services, and with one gotcha that trips up most teams: a signed BAA alone doesn't make you compliant.
Yes — AWS, Google, Microsoft, Datadog, Twilio, Slack, Zoom and many others sign a HIPAA BAA for qualifying customers. The catches: many only offer it on a specific plan tier, and the BAA only covers the vendor's designated HIPAA-eligible services — not every feature.
A signed BAA is necessary but not sufficient. It creates the legal relationship; it does not configure the service securely or keep PHI out of an uncovered feature. You still own configuration, access control, and your risk assessment.
No BAA = no PHI. If a vendor won't sign one, you cannot route protected health information through it, period. Find an equivalent that will, or keep PHI out of that tool.
A starting checklist — always confirm current terms with the vendor, since plans and eligibility change.
| Vendor | Signs a BAA? | The catch |
|---|---|---|
| AWS | Yes | Accept via AWS Artifact; only HIPAA-eligible services are in scope — using a non-eligible service for PHI breaks it. |
| Google Cloud / Workspace | Yes | Request/accept via admin console; covered-products list defines scope. Configure to stay inside it. |
| Microsoft Azure / 365 | Yes | Available under Microsoft's compliance terms; in-scope services only, correct config required. |
| Datadog | Yes — conditional | For qualifying customers, typically on the right plan and by request; covers designated services with proper config. |
| Twilio | Yes — restricted | BAA available, but only certain products/configurations are HIPAA-eligible; confirm which channels qualify. |
| Slack | Plan-gated | Offered on paid/Enterprise tiers; free/basic plans typically not eligible. |
| Zoom | Plan-gated | Available via a healthcare-oriented plan/configuration; standard consumer plans aren't covered. |
| A vendor with NO BAA | No | Cannot touch PHI. No configuration makes a no-BAA tool compliant for protected health information. |
Vendor terms shift — treat this as a starting point and verify the current plan requirement + covered-services list directly before sending any PHI.
The mistake we see most — and it isn't "the vendor wouldn't sign."
The dangerous failure isn't a missing BAA — it's a signed BAA that lulls a team into thinking the job is done. Getting the signature is the easy 20%. The 80% that actually keeps you compliant is staying inside the vendor's HIPAA-eligible services and configuring them correctly. We've seen teams with a perfectly executed AWS or Datadog BAA still mishandle PHI because they routed it through a feature the BAA didn't cover, or left a setting open. The paper protects the relationship; your configuration protects the data.
So treat the BAA as step one of three: (1) confirm the vendor signs one and on which plan; (2) execute it and get the covered-services list in writing; (3) configure your usage to stay strictly inside that scope, and document it in your risk assessment. Skipping step three is where audits find blood.
And never improvise around a "no." If a tool won't sign a BAA, it cannot handle PHI — there's no clever workaround, no "we'll just encrypt it ourselves." Either swap to an equivalent vendor that signs (there usually is one), or architect PHI out of that tool entirely. If you want a second set of eyes on which of your vendors actually need a BAA, and whether your current stack is in scope, text PJ — honest answer, no sales pitch.
What teams Google before sending PHI to a vendor.
Most major cloud and many SaaS vendors will sign a HIPAA Business Associate Agreement (BAA) for qualifying customers — including AWS, Google Cloud and Google Workspace, Microsoft Azure and Microsoft 365, Datadog, Twilio, Slack, and Zoom. The important caveats are that many only offer a BAA on specific plan tiers (often Business, Enterprise, or a dedicated healthcare plan), and that signing the BAA only covers the vendor's designated HIPAA-eligible services — not necessarily every feature of the product. Always confirm current terms with the vendor, since eligibility and plan requirements change.
Datadog will sign a HIPAA Business Associate Agreement for qualifying customers, but it typically requires the appropriate plan and a request through Datadog, and your environment must be configured to keep protected health information (PHI) handled appropriately within the covered services. As with every vendor, the BAA covers Datadog's designated services and assumes you configure them correctly — it isn't a blanket "Datadog is now HIPAA compliant for anything you do" guarantee. Confirm the current plan requirement and covered-services list directly with Datadog before sending any PHI.
No. A signed BAA is necessary but not sufficient. It establishes the legal relationship and obligations between you (a covered entity or business associate) and the vendor (a business associate or subcontractor), but it does not configure the service securely for you. You still have to use only the vendor's HIPAA-eligible services, configure encryption and access controls correctly, limit who can see PHI, and run your own risk assessment and safeguards. Plenty of organizations have a signed BAA and are still out of compliance because they misconfigured the service or sent PHI through a feature the BAA doesn't cover.
If you send, store, or process protected health information through a vendor that has not signed a BAA with you, you are out of compliance with HIPAA, full stop — there is no workaround. The BAA is the mechanism that lawfully extends HIPAA obligations to that vendor. Using a no-BAA tool for PHI exposes you to breach liability and potential penalties, and it's a common finding in audits. If a vendor won't sign a BAA, you cannot route PHI through it; you either find an equivalent vendor that will, or keep PHI out of that tool entirely.
The process varies by vendor. Some make it self-service: AWS, Google, and Microsoft let you accept or request the BAA through an account/admin console or compliance portal. Others require you to be on a specific plan and to request the BAA through sales or support. The practical steps are: confirm the vendor offers a BAA, confirm which plan tier is required, request and execute the BAA, get the list of HIPAA-eligible/covered services, and then configure your usage to stay inside that scope. Keep the executed BAA and the covered-services list with your compliance records.