HIPAA Business Associate Agreement for Digital Health Companies
By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ Most digital health companies are HIPAA business associates — not covered entities
- ✓ You have two-sided BAA obligations: sign BAAs for clients AND get BAAs from your own vendors
- ✓ AWS, GCP, and Azure all offer BAAs — Mixpanel does not; verify each analytics vendor individually
- ✓ The BA → sub-BA chain means a breach at any vendor in your stack can trigger HIPAA liability
Digital health companies occupy the middle layer in HIPAA's three-tier structure: covered entities (hospitals, clinics, health plans) engage digital health vendors as business associates, and those digital health companies in turn use their own infrastructure vendors as sub-business-associates. Understanding both sides of this chain is essential for HIPAA compliance.
Are You a Covered Entity or a Business Associate?
This is the foundational question for any digital health company's HIPAA strategy.
- Covered entity: Healthcare provider, health plan, or healthcare clearinghouse. Most digital health companies are not covered entities unless they directly provide clinical care (e.g., a telehealth platform that also employs physicians).
- Business associate: A company that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This is the typical status for digital health apps, remote monitoring platforms, patient engagement tools, analytics platforms deployed by health systems, and care coordination software.
If you are a business associate, you are directly subject to HIPAA's Security Rule and Breach Notification Rule, and must comply with the terms of any BAA you sign with a covered entity client. See our guide on when a HIPAA BAA is required for more detail.
The BA → Sub-BA Chain: Your Two-Sided Obligation
As a business associate, you have obligations flowing in two directions:
Incoming BAAs: Clients Sign BAAs With You
When a covered entity (a hospital, health plan, or physician group) deploys your digital health product and your product accesses PHI, the covered entity must execute a BAA with your company before sharing any patient data. You should have a standard BAA template ready to provide to customers, and your sales and legal teams should ensure every covered entity customer executes a BAA as part of the contract process.
Outgoing BAAs: You Sign BAAs With Your Sub-Vendors
Under HIPAA's Omnibus Rule, when you (as a business associate) engage a subcontractor that will access PHI, that subcontractor is a downstream business associate directly subject to HIPAA. You must execute BAAs with each sub-vendor whose platform touches your customers' PHI. This includes your cloud infrastructure, database providers, analytics tools, customer support platforms, and error monitoring services.
A breach at any sub-vendor is your problem too — the covered entity will look to your BAA for indemnification, and OCR may investigate your compliance as well as the sub-vendor's.
Cloud Infrastructure BAAs
The good news for cloud infrastructure: all three major cloud providers offer BAAs:
- AWS: AWS Business Associate Addendum (BAA) is available at no charge in the AWS Artifact console. It covers dozens of HIPAA-eligible services. Not all AWS services are covered — review the HIPAA-eligible services list before using any service to store or process PHI.
- Google Cloud Platform (GCP): GCP offers a BAA through its Cloud Data Processing Addendum. HIPAA-aligned services are listed in GCP's documentation.
- Microsoft Azure: Azure offers a BAA (called a Business Associate Agreement) available through the Microsoft Trust Center. Azure HIPAA-eligible services are documented separately.
Analytics and Observability Tool BAAs
This is where digital health companies most frequently introduce unprotected PHI into non-HIPAA-compliant platforms:
- Mixpanel: Does not sign BAAs. PHI must not be sent to Mixpanel. If you use Mixpanel for product analytics, you must ensure no PHI is included in the events you track.
- Amplitude: Offers enterprise BAA options. Contact their enterprise sales team for availability and scope.
- Segment (Twilio): Healthcare BAA available for enterprise customers. Verify directly with Segment before sending PHI.
- Datadog: Offers a HIPAA-compliant configuration with a BAA for enterprise plans. Confirm scope and configuration requirements.
- Sentry: Offers a BAA as part of their Business plan and above. Ensure error events do not include PHI in stack traces or error messages.
Review our checklist on whether your vendor signs BAAs before deploying any new analytics or observability tool in a PHI-touching environment.
Customer Support and CRM Tools
Customer support platforms (Zendesk, Intercom, Salesforce) that receive support tickets or conversations containing PHI require BAAs. Salesforce offers BAAs on enterprise health cloud plans. Zendesk and Intercom have BAA options. Review carefully — standard consumer-tier contracts typically do not include BAA provisions.
| Vendor | BAA Available? | Notes |
|---|---|---|
| AWS | Yes | Free via AWS Artifact; only HIPAA-eligible services covered |
| Google Cloud (GCP) | Yes | Via Cloud Data Processing Addendum |
| Microsoft Azure | Yes | Via Microsoft Trust Center |
| Mixpanel | No | Do not send PHI to Mixpanel |
| Amplitude | Enterprise only | Contact enterprise sales |
| Segment (Twilio) | Enterprise only | Verify scope directly |
| Datadog | Enterprise plans | Requires HIPAA configuration |
| Sentry | Business plan+ | Verify error events exclude PHI |
Generate a compliant BAA in 5 minutes
HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word
No subscription · PDF + Word · Free watermarked preview
Frequently Asked Questions
Is a digital health app a HIPAA covered entity or business associate?
Most digital health apps are business associates. A covered entity is a healthcare provider, health plan, or clearinghouse. A digital health company that provides software or services to covered entities is typically a business associate. As a BA, you must sign BAAs with clients AND get BAAs from your sub-vendors that touch PHI, per 45 CFR § 164.504(e).
What cloud vendors do digital health companies need BAAs with?
AWS, Google Cloud Platform, and Microsoft Azure all offer BAAs (Business Associate Addendums) for services used to process PHI. Ensure you execute the BAA and use only HIPAA-eligible services. For analytics, Mixpanel does not sign BAAs — avoid sending PHI to Mixpanel. Amplitude and Segment have enterprise BAA options.
Does a wellness app that doesn't bill insurance need a HIPAA BAA?
It depends. A purely consumer wellness app with no covered entity relationship is generally not subject to HIPAA. But if your wellness app is deployed by an employer health plan, hospital, or health insurer as a benefit, you are functioning as a business associate of that covered entity and HIPAA — including BAA requirements — applies.
What is the BA to sub-BA chain in digital health?
When you (a business associate) engage a subcontractor that accesses PHI, that subcontractor is a downstream business associate directly subject to HIPAA. You must execute BAAs with each sub-vendor touching PHI, creating a chain: covered entity → your company → your vendors. A breach anywhere in this chain can result in HIPAA liability for your company.
More Specialty BAA Guides