What is a Business Associate Agreement (BAA)?

A BAA is the contract HIPAA requires between a Covered Entity (healthcare provider, health plan, healthcare clearinghouse) and a Business Associate (any vendor that creates, receives, maintains, or transmits PHI on the Covered Entity's behalf). The BAA contractually obligates the vendor to: safeguard PHI · only use it for permitted purposes · report any breaches · return or destroy PHI at contract end · ensure subcontractors also sign BAAs. Without a signed BAA, sharing PHI with a vendor is a HIPAA violation regardless of how 'secure' the vendor is.

Does signing a BAA make a vendor HIPAA-compliant?

No. The BAA is the START of HIPAA compliance work, not the finish. The vendor is contractually obligated to safeguard PHI, but YOU still own: configuration controls · access management · audit logging · encryption-at-rest setup · workforce training · risk assessment · breach response plan · subcontractor BAAs. Treating a BAA signature as 'we're HIPAA-compliant now' is the most common mistake first-time healthcare SaaS buyers make.

What if a vendor's BAA isn't in their standard contract?

Many enterprise vendors (Salesforce, Microsoft, Google, AWS) require requesting the BAA separately — often through a self-service portal (AWS Artifact, Microsoft Service Trust Portal, Google Workspace Admin Console) or via sales rep. Some require an enterprise contract tier (Google Workspace Business Plus or Enterprise · Microsoft 365 Business Premium or Enterprise). Smaller vendors often have it on request via support ticket. If a vendor refuses to sign a BAA, you cannot use them for any workflow involving PHI · period. No workaround is HIPAA-compliant.

Which categories of vendors most commonly DON'T sign BAAs?

Common gaps: consumer-grade analytics (Google Analytics 4 free tier · Mixpanel free · Heap free) often don't sign BAAs at free tier · sometimes available at paid tier with restrictions. Most CRMs (HubSpot · Pipedrive · Close) require Enterprise tier for BAA. Many smaller form tools (Typeform consumer · Tally · Google Forms consumer) don't sign BAAs. AI/LLM vendors (OpenAI · Anthropic) sign BAAs on enterprise contracts only. Social listening / marketing automation tools (Drift · Intercom marketing tier) often don't sign BAAs at standard tier. ALWAYS verify the specific tier requirement before architecting any PHI workflow.

How do I keep this list current for my own stack?

Three-step operator workflow: (1) inventory every SaaS that could potentially touch PHI in your workflow (start with a list, often 30-60 vendors for a small healthcare SaaS), (2) verify BAA availability on each vendor's current Security/Compliance/HIPAA documentation page — NOT this reference list which becomes stale, (3) request + sign BAAs for every vendor that will touch PHI before architecting that workflow. Track BAA status in your vendor inventory spreadsheet. Re-verify quarterly. Vendors change their BAA policies more than buyers expect.

SideGuy Operator Reference · HIPAA BAA · Verified 2026-05-17

HIPAA BAA Vendor List 2026
Which SaaS Sign BAAs vs Don't

50+ SaaS vendors categorized by Business Associate Agreement availability. Email · CRM · Analytics · Payments · AI/LLM · Storage · Comms · Productivity · Forms · Video. Operator-honest gotchas per vendor. Built for healthcare SaaS founders + HIPAA-covered ops teams who keep getting asked "does that vendor have a BAA?"

⚠️ Verify before relying. Vendor BAA policies change. This reference reflects state as of 2026-05-17. Always confirm current BAA availability + required tier on the vendor's own security/compliance page BEFORE architecting any PHI workflow.

Jump to vendor table ↓ Take the HIPAA hosting quiz →

The first thing every healthcare SaaS founder learns

Signing a BAA does NOT make a vendor "HIPAA-compliant." It makes the vendor contractually obligated to safeguard PHI on your behalf. You still own configuration, access controls, audit logging, encryption setup, workforce training, risk assessment, and breach response. The BAA is the start of HIPAA compliance work — not the finish.

What this reference IS good for: a starting-point inventory of vendors your team can use vs cannot use when PHI is in the workflow. What it's NOT good for: assuming every vendor in the "yes" column requires zero further work. Most "yes" vendors have specific tier requirements (Enterprise vs Standard), specific service-scope (some services in their stack are BAA-eligible, others aren't), and specific configuration requirements you still need to enforce.

Vendor BAA reference · by category

Status legend: ✓ Available · ⚠ Conditional (specific tier / service-scope required) · ✗ Not available (cannot use for PHI workflows period).

☁️ Cloud Infrastructure (BAA-eligible compute · storage · databases)

Vendor	BAA	Notes / Gotchas
AWS	⚠ Conditional	BAA via AWS Artifact (self-service). 200+ services BAA-eligible. Using non-eligible services with PHI = violation. ALWAYS verify current eligibility per service.
Azure	⚠ Conditional	Microsoft offers BAA via Online Services Terms. Auto-included for in-scope services. Verify HIPAA-eligible service list before architecting.
Google Cloud	⚠ Conditional	BAA via Google Cloud Healthcare API contract. HIPAA-aligned services list maintained by Google. Vertex AI + BigQuery + Healthcare API are HIPAA-aligned.
Aptible	✓ Available	HIPAA + HITRUST baked into platform. BAA standard on every contract. Inherit-control-from-platform model. Best for first-time HIPAA SaaS.
Datica / Catalyze	✓ Available	Healthcare-specific managed services. BAA standard. Narrower than AWS/Azure but purpose-built for healthcare workloads.
DigitalOcean	✗ Not available	No BAA offering. Cannot use for PHI workflows. Use AWS / Aptible / Datica instead.
Heroku	⚠ Conditional	Heroku Shield (Enterprise tier) supports HIPAA BAA. Standard Heroku does NOT. Verify Shield enrollment before relying.
Vercel	✗ Not available	No public BAA offering as of verification date. Cannot use for PHI. Static-only deployments without PHI are OK.
Netlify	✗ Not available	No BAA offering. Cannot use for PHI workflows.
Cloudflare	⚠ Conditional	BAA available on Enterprise plan. Standard / Business plans do NOT have BAA. Verify Enterprise contract before architecting.

📧 Email + Workspace

Vendor	BAA	Notes / Gotchas
Google Workspace	⚠ Conditional	Business Plus + Enterprise tiers support BAA. Standard / Starter do NOT. Admin console toggle required to enable HIPAA mode. Gmail + Drive + Docs + Calendar in scope; some Google add-ons not.
Microsoft 365	⚠ Conditional	Business Premium + Enterprise tiers support BAA. Auto-included via Online Services Terms. Outlook + OneDrive + Teams + SharePoint in scope; Personal/Home tiers NOT.
Postmark	✓ Available	BAA on request via support. Transactional email HIPAA-eligible. Avoid sending PHI in subject lines regardless.
SendGrid (Twilio)	⚠ Conditional	BAA via Twilio HIPAA pricing plan (Pro / Premier). Standard plans do NOT include BAA. Verify Twilio contract tier.
Mailgun	✓ Available	BAA available on Pay-as-you-go + Foundation + Growth + Scale plans. Verify current pricing-tier inclusion.
Mailchimp	✗ Not available	No BAA offering. Cannot use for PHI workflows including transactional emails containing PHI.
ConvertKit / Kit	✗ Not available	No BAA offering. Consumer marketing email tool.
ActiveCampaign	✗ Not available	No BAA offering. Cannot use for PHI workflows.

📊 Analytics + Product Analytics

Vendor	BAA	Notes / Gotchas
Google Analytics 4	✗ Not available	No BAA offering. Cannot use for PHI workflows. Healthcare SaaS must exclude PHI from GA4 tracking — never put patient IDs / health data in event parameters or user properties.
Mixpanel	✓ Available	BAA on Enterprise tier. Self-serve tiers do NOT include BAA. Verify Enterprise contract.
Amplitude	✓ Available	BAA on Enterprise + Growth tiers. Free + Starter do NOT include BAA. Verify tier.
Heap	✓ Available	BAA on Enterprise tier. Free + Pro tiers do NOT include BAA. Verify Enterprise contract.
Posthog	✓ Available	BAA on Enterprise tier. Cloud Scale + Self-hosted Enterprise both available.
Segment	✓ Available	BAA on Business + Enterprise tiers. Team / Free do NOT include BAA. Verify tier before routing PHI events.
Plausible	✗ Not available	Privacy-focused analytics but no formal BAA. Workaround: don't track PHI in event data — pageviews-only is fine since they don't capture PHI by design.

💬 Customer Comms + Support + Chat

Vendor	BAA	Notes / Gotchas
Zendesk	✓ Available	BAA on Enterprise tier. Standard tiers do NOT include BAA. Verify Enterprise contract.
Help Scout	✓ Available	BAA on Plus + Pro tiers. Standard does NOT include BAA.
Front	✓ Available	BAA on Scale + Premier tiers. Verify current tier inclusion.
Intercom	⚠ Conditional	BAA available on enterprise contracts only. Standard / Starter / Pro do NOT include BAA. Significant cost step-up.
Drift	✗ Not available	No public BAA offering at standard tiers. Verify with Salesforce (current parent) before relying.
Slack	⚠ Conditional	Slack Enterprise Grid with HIPAA-enabled workspace supports BAA. Standard / Pro tiers do NOT. Significant cost step-up.
Microsoft Teams	⚠ Conditional	Covered under Microsoft 365 BAA when on Business Premium / Enterprise tiers.
Discord	✗ Not available	No BAA offering. Cannot use for PHI workflows.

📞 SMS + Voice + CPaaS

Vendor	BAA	Notes / Gotchas
Twilio	⚠ Conditional	BAA via Twilio HIPAA pricing plan. Standard plans do NOT include BAA. Significant cost premium for HIPAA tier. Programmable Voice + SMS + Email all eligible at HIPAA tier.
Plivo	✓ Available	BAA available. Verify current contract.
Vonage	✓ Available	BAA available on enterprise plans. Verify tier.
Bandwidth	✓ Available	BAA available. CPaaS for SMS + voice + emergency services.
MessageBird / Bird	⚠ Conditional	Verify current BAA status — has changed during platform consolidation.

🤖 AI / LLM

Vendor	BAA	Notes / Gotchas
OpenAI (ChatGPT / API)	⚠ Conditional	BAA available on Enterprise + ChatGPT Enterprise / Team tier. Standard API + ChatGPT Plus do NOT include BAA. Verify Enterprise contract.
Anthropic (Claude)	⚠ Conditional	BAA available on Enterprise tier (Claude for Enterprise). Standard API + Claude Pro do NOT include BAA. Verify current tier.
AWS Bedrock	✓ Available	Covered under AWS BAA (BAA-eligible service). Use foundation models on Bedrock for HIPAA workloads.
Azure OpenAI	✓ Available	Covered under Microsoft 365 / Azure BAA. Includes GPT-4, GPT-4 Turbo, embedding models.
Google Vertex AI	✓ Available	Covered under Google Cloud BAA. Includes Gemini + PaLM 2 + Vertex AI Search for healthcare workloads.
Cohere	⚠ Conditional	Verify current BAA status with Cohere directly. Enterprise contracts may include.
Mistral AI	⚠ Conditional	Available via Azure (covered under Azure BAA) and AWS Bedrock (covered under AWS BAA). Direct Mistral platform: verify current BAA.

💼 CRM + Marketing Ops

Vendor	BAA	Notes / Gotchas
Salesforce	⚠ Conditional	Salesforce Health Cloud + Salesforce Shield support BAA. Standard Sales Cloud / Service Cloud do NOT include BAA. Significant cost step-up.
HubSpot	✗ Not available	No standard BAA offering. Workaround: don't store PHI in HubSpot — use it for non-PHI marketing/sales touches only.
Pipedrive	✗ Not available	No BAA offering. Cannot use for PHI workflows.
Close	✗ Not available	No BAA offering as of verification date.
Copper	✗ Not available	No BAA offering.

📝 Forms + Surveys

Vendor	BAA	Notes / Gotchas
Jotform	✓ Available	BAA available on HIPAA-enabled Gold + Enterprise tiers. Standard / Free do NOT include BAA. Toggle in account settings.
Formstack	✓ Available	BAA available on Platform + Enterprise tiers. Verify current tier.
Typeform	✗ Not available	No BAA offering. Cannot use for PHI workflows.
Google Forms	⚠ Conditional	Covered under Google Workspace BAA (Business Plus + Enterprise tiers) when HIPAA mode enabled in admin console.
SurveyMonkey	✓ Available	BAA available via SurveyMonkey for HIPAA (HIPAA Healthcare plan). Verify current tier.
Tally	✗ Not available	No BAA offering.

📁 Storage + Files + Collab

Vendor	BAA	Notes / Gotchas
Dropbox	⚠ Conditional	BAA available on Dropbox Business Advanced + Enterprise tiers. Standard / Plus / Family do NOT include BAA.
Box	✓ Available	BAA available on Box Enterprise + Business Plus tiers. Strong healthcare-vertical positioning.
OneDrive (M365)	⚠ Conditional	Covered under Microsoft 365 BAA (Business Premium + Enterprise tiers).
Google Drive (Workspace)	⚠ Conditional	Covered under Google Workspace BAA (Business Plus + Enterprise tiers).
Notion	⚠ Conditional	Notion supports BAA on Enterprise tier. Standard / Plus / Business do NOT include BAA.

📹 Video + Telehealth

Vendor	BAA	Notes / Gotchas
Zoom	⚠ Conditional	BAA available on Zoom for Healthcare plan. Standard Zoom Pro / Business / Enterprise tiers require explicit BAA enablement. Use Zoom Healthcare for PHI-containing visits.
Microsoft Teams	⚠ Conditional	Covered under Microsoft 365 BAA (Business Premium + Enterprise). Healthcare-friendly Teams templates available.
Doxy.me	✓ Available	Telehealth-specific platform. BAA standard. Built for healthcare from day 1.
Loom	⚠ Conditional	BAA available on Loom Business + Enterprise tiers. Verify current contract.
Vimeo	✗ Not available	No BAA offering.
Wistia	✗ Not available	No BAA offering as of verification date.

🔧 Operator field notes · 5 things first-time HIPAA SaaS buyers miss

BAA tier is the trap. Most enterprise SaaS sign BAAs only at their highest tier (Salesforce Health Cloud · Microsoft 365 Business Premium · Google Workspace Business Plus · Mixpanel Enterprise · OpenAI Enterprise). The cost step-up from standard tier to BAA-tier is often 3-5x. Budget for it BEFORE you commit to a vendor.
"Available" doesn't mean "automatic." Most vendors require you to REQUEST + SIGN the BAA separately. Some require submitting a ticket, some have self-service portals (AWS Artifact · Microsoft Service Trust · Google Admin). Track which BAAs you've actually signed in your vendor inventory · don't assume "available" means "in place."
Subcontractor BAAs cascade. If your vendor uses sub-processors (e.g., a CRM that uses AWS for hosting, that uses Twilio for SMS), each sub-processor handling PHI also needs a BAA. Vendor's BAA should warrant they have downstream BAAs with sub-processors. Verify the subprocessor list quarterly.
"HIPAA-compliant" is marketing language. No software is "HIPAA-compliant" inherently — only the implementation can be compliant. A vendor saying "we're HIPAA-compliant" without specifying BAA + tier + service-scope is vague marketing. Ask: "Do you sign a BAA? On what tier? Which of your services are in scope?"
Re-verify quarterly. Vendors change BAA policies. Tier requirements shift. Service-scope expands or contracts. Sub-processors change. Quarterly vendor inventory review takes 1-2 hours and catches BAA-coverage gaps before they become incidents. Add it to the calendar.

Need a HIPAA-stack sanity check?

If your vendor inventory has 30-60 SaaS in it and you're not sure which actually have BAAs in place — that's the most common shape SideGuy gets called for. PJ runs a HIPAA-stack audit + builds your vendor inventory + flags coverage gaps. No agency theater. No retainer. Text PJ direct · 5-message scope · honest yes/no on whether the audit fits.

📲 Text PJ · 858-461-8054 → $250 Operator Audit (Katie · SideGuy SEO Service)

HIPAA BAA Vendor List 2026Which SaaS Sign BAAs vs Don't