Vendor BAA Guide
Does Google Workspace Sign a HIPAA BAA?
Yes — on all paid plans. Self-service via Admin console. Covers Gmail, Drive, Meet, Calendar, Chat, and more.
Read more →Vendor BAA Guides
Does your vendor sign a HIPAA BAA? Find out before you share any patient data.
Vendor BAA Guide
Does Microsoft 365 Sign a HIPAA BAA?
Yes — built into the Online Services Terms for all commercial plans. No separate contract required.
Read more →Vendor BAA Guide
Does Zoom Sign a HIPAA BAA?
Yes — but only on Zoom for Healthcare or eligible Business/Enterprise plans with HIPAA mode enabled.
Read more →Vendor BAA Guide
Does Slack Sign a HIPAA BAA?
Only on Enterprise Grid. Slack Pro and Business+ are not eligible — don't use standard Slack for PHI.
Read more →Vendor BAA Guide
Does Dropbox Sign a HIPAA BAA?
Yes — on Business and Business Plus plans. Free and personal accounts are not eligible.
Read more →Vendor BAA Guide
Does AWS Sign a HIPAA BAA?
Yes — AWS Business Associate Addendum available to all commercial accounts self-service through AWS Artifact.
Read more →Vendor BAA Guide
Does DocuSign Sign a HIPAA BAA?
Yes — on Business Pro and Enterprise plans. Learn which plan qualifies and how to request it.
Read more →Vendor BAA Guide
Does Stripe Sign a HIPAA BAA?
No — Stripe does not offer a HIPAA BAA. Healthcare organizations collecting PHI at payment need alternatives.
Read more →Vendor BAA Guide
Does Mailchimp Sign a HIPAA BAA?
No — Mailchimp does not sign HIPAA BAAs and is not compliant for healthcare email marketing with PHI.
Read more →Vendor BAA Guide
Does HubSpot Sign a HIPAA BAA?
Yes — but only with the Healthcare Hub add-on. Standard HubSpot plans are not HIPAA eligible.
Read more →Vendor BAA Guide
Does Salesforce Sign a HIPAA BAA?
Yes — but only for Health Cloud and specific healthcare products. Standard Sales Cloud is not covered by default.
Read more →Vendor BAA Guide
Does OpenAI Sign a HIPAA BAA?
Yes — for API and ChatGPT Enterprise customers. ChatGPT Free and Plus are not eligible for PHI.
Read more →Vendor BAA Guide
Does Anthropic Sign a HIPAA BAA?
Yes — for Claude Enterprise and qualifying API customers. Claude.ai Free and Pro plans are not covered.
Read more →Vendor BAA Guide
Does Microsoft Azure Sign a HIPAA BAA?
Yes — Azure's BAA is included in the Online Services Terms for all commercial accounts at no extra cost.
Read more →Vendor BAA Guide
Does Google Cloud (GCP) Sign a HIPAA BAA?
Yes — GCP's BAA is self-service via the Cloud Console and covers Compute Engine, Cloud Storage, BigQuery, and more.
Read more →Vendor BAA Guide
Does Twilio Sign a HIPAA BAA?
Yes — via Twilio's sales team for healthcare customers. SMS, Voice, Video, and SendGrid covered after BAA execution.
Read more →Vendor BAA Guide
Does SendGrid Sign a HIPAA BAA?
Yes — SendGrid (owned by Twilio) can be covered under Twilio's enterprise HIPAA BAA process for qualifying customers.
Read more →Vendor BAA Guide
Does Square Sign a HIPAA BAA?
No standard BAA. Square's general payment processing does not include HIPAA coverage — see alternatives for healthcare payments.
Read more →Vendor BAA Guide
Does Acuity Scheduling Sign a HIPAA BAA?
Yes — on the Powerhouse plan ($45/mo). BAA required for telehealth and therapy intake scheduling with PHI.
Read more →Vendor BAA Guide
Does Intercom Sign a HIPAA BAA?
No — Intercom does not offer a HIPAA BAA on any plan. Do not use Intercom chat for PHI-related conversations.
Read more →Vendor BAA Guide
Does Typeform Sign a HIPAA BAA?
No — Typeform is not HIPAA eligible and cannot be used for patient intake forms. See JotForm and Google Forms as alternatives.
Read more →Vendor BAA Guide
Does JotForm Sign a HIPAA BAA?
Yes — JotForm's HIPAA plan includes BAA execution and encrypted form data. One of few form builders that is HIPAA eligible.
Read more →Vendor BAA Guide
Does Zapier Sign a HIPAA BAA?
No — Zapier is not HIPAA eligible. Routing PHI through Zapier breaks your compliance chain even if both endpoints have BAAs.
Read more →Vendor BAA Guide
Does Calendly Sign a HIPAA BAA?
Yes — on Teams and Enterprise plans. Free and Standard Calendly cannot be used for telehealth scheduling that collects PHI.
Read more →Vendor BAA Guide
Does Notion Sign a HIPAA BAA?
No — Notion is not HIPAA eligible. Patient notes and records cannot be stored in Notion on any plan.
Read more →Vendor BAA Guide
Does Epic Sign a HIPAA BAA?
Yes — BAA provisions are embedded in Epic's standard implementation agreement. Third-party Epic integrations require separate BAAs.
Read more →Vendor BAA Guide
Does Cerner (Oracle Health) Sign a HIPAA BAA?
Yes — Oracle Health / Cerner includes BAA provisions in its implementation agreements. Verify coverage before go-live.
Read more →Vendor BAA Guide
Does SimplePractice Sign a HIPAA BAA?
Yes — all paid plans include a BAA. Self-service via Account Settings → Security. Used by 200,000+ mental health clinicians.
Read more →Vendor BAA Guide
Does TherapyNotes Sign a HIPAA BAA?
Yes — included in the standard subscriber agreement for all tiers. Purpose-built EHR for behavioral health providers.
Read more →Vendor BAA Guide
Does Doxy.me Sign a HIPAA BAA?
Yes on paid plans — but the free Doxy.me plan has NO BAA and cannot be used for telehealth sessions involving PHI.
Read more →Vendor BAA Guide
Does Athenahealth Sign a HIPAA BAA?
Yes — BAA is standard in the Athenaone/athenahealth enterprise agreement, covering all products.
Read more →Vendor BAA Guide
Does eClinicalWorks Sign a HIPAA BAA?
Yes — standard service agreement covers all products including the healow patient portal and telehealth module.
Read more →Vendor BAA Guide
Does Kareo (Tebra) Sign a HIPAA BAA?
Yes — Kareo rebranded to Tebra in 2022 after merging with PatientPop. BAA coverage continued through the rebrand.
Read more →Vendor BAA Guide
Does Sentry Sign a HIPAA BAA?
Business and Enterprise plans only — Free and Team plans have no BAA. Error monitoring logs can contain PHI in health apps.
Read more →Vendor BAA Guide
Does Datadog Sign a HIPAA BAA?
Enterprise plan only — Free and Pro plans have no BAA. Monitoring logs in healthcare infrastructure can contain PHI.
Read more →Vendor BAA Guide
Does Segment (Twilio) Sign a HIPAA BAA?
Business and Enterprise plans only — event data in health apps can contain PHI. Team plan has no BAA.
Read more →Vendor BAA Guide
Does Mixpanel Sign a HIPAA BAA?
Enterprise plan only — Free and Growth plans have no BAA. Analytics events in health apps frequently include PHI.
Read more →Vendor BAA Guide
Does Amplitude Sign a HIPAA BAA?
Enterprise plan only. Free and Growth plans have no BAA — product analytics in health apps can capture PHI.
Read more →Vendor BAA Guide
Does GitHub Sign a HIPAA BAA?
Yes — GitHub Enterprise via Microsoft's enterprise agreement. Standard GitHub.com plans have no BAA.
Read more →Vendor BAA Guide
Does Box Sign a HIPAA BAA?
Yes — Business Plus, Enterprise, and Enterprise Plus plans. Standard Business plan is not eligible.
Read more →Vendor BAA Guide
Does Monday.com Sign a HIPAA BAA?
Enterprise plan only — all lower tiers (Free through Pro) have no BAA. Not a clinical tool but may handle PHI in operations workflows.
Read more →Vendor BAA Guide
Does drchrono Sign a HIPAA BAA?
Yes — included in the standard service agreement. drchrono is now part of EverHealth / Global Payments.
Read more →Vendor BAA Guide
Does Zoom for Healthcare Sign a HIPAA BAA?
Yes — Healthcare tier only. Standard Zoom Free/Pro/Business plans have no BAA and cannot be used for telehealth involving PHI.
Read more →Vendor BAA Guide
Does RingCentral Sign a HIPAA BAA?
Yes — on Advanced, Ultra, and RingCentral for Healthcare plans with HIPAA configuration enabled.
Read more →Vendor BAA Guide
Does FullStory Sign a HIPAA BAA?
Enterprise plan only. Session replay tools are high-risk for PHI capture — requires privacy masking configuration alongside the BAA.
Read more →Vendor BAA Guide
Does Hotjar Sign a HIPAA BAA?
No — Hotjar does not offer a HIPAA BAA on any plan. Cannot be used on healthcare apps or patient portals that handle PHI.
Read more →How-To Guides
Practical guides for creating, negotiating, and managing HIPAA BAAs.
Step-by-Step Guide
How to Create a HIPAA BAA (Step by Step)
5-step process: identify business associates, confirm clauses, draft, execute, and store for 6 years.
Read more →Vendor Compliance
What to Do When a Vendor Won't Sign a BAA
Escalation tactics, how to present your own BAA template, and when you must stop sharing PHI.
Read more →BAA Process Guide
How to Review a BAA a Vendor Sent You
7 provisions to check before signing any vendor BAA — including breach notification timelines, permitted use scope, and PHI destruction terms.
Read more →BAA Process Guide
What to Do When a Vendor Wants to Change Your BAA
Which redlines are acceptable, which are red flags, and when a vendor's counter-proposal means you should walk away.
Read more →BAA Lifecycle & Process
Amendment, renewal, termination, cost, negotiation, audit readiness — every phase of BAA management covered.
BAA Cost Guide
How Much Does a HIPAA BAA Cost?
$0 (self-generated) to $3,000+ (custom attorney-drafted). Cost breakdown by method with guidance on when you need an attorney.
Read more →BAA Process Guide
How to Amend a HIPAA BAA
Step-by-step process for amending an existing BAA — what triggers an amendment, what must be included, and retention requirements.
Read more →BAA Lifecycle
Does a HIPAA BAA Expire? BAA Renewal Guide
BAAs don't auto-expire — but they should be reviewed whenever vendor agreements renew or services change materially.
Read more →BAA Lifecycle
How to Terminate a HIPAA BAA
Written notice, PHI return or destruction, and 6-year documentation — the 3-step termination process under 45 CFR § 164.504(e).
Read more →HIPAA Compliance
What to Do If You Discover a Missing BAA
Immediate action plan: stop sharing PHI, execute retroactively if possible, assess breach notification obligations.
Read more →BAA Process Guide
How to Negotiate a HIPAA BAA
4 provisions worth fighting for: breach notification timeline, permitted use scope, subcontractor disclosure, and PHI destruction terms.
Read more →HIPAA Compliance
How to Keep a BAA Compliance Log
Vendor tracking template covering all fields OCR expects — vendor name, BAA date, storage location, and last review date.
Read more →HIPAA Compliance
HIPAA BAA Audit Readiness
What OCR checks in a BAA audit: BA inventory, executed agreements, subcontractor enforcement, and remediation documentation.
Read more →HIPAA Enforcement
HIPAA BAA Enforcement: What OCR Has Penalized
Real enforcement actions, penalty tier breakdown ($141–$1.9M/year), and what makes OCR more likely to investigate.
Read more →HIPAA Compliance
Breach Notification When a Business Associate Is Involved
The BA-to-CE notification chain, the 60-day requirement, and why your BAA should require faster disclosure.
Read more →BAA Explainer
BAA vs. Data Processing Agreement (DPA)
HIPAA BAA vs. GDPR DPA — different legal regimes, different obligations. Organizations in both need both documents.
Read more →BAA Explainer
HIPAA BAA vs. SaaS Agreement: When You Need Both
A SaaS agreement and a BAA are separate documents. How to verify whether a vendor's ToS includes qualifying BAA provisions.
Read more →BAA Process Guide
Subcontractor BAAs: When BAs Need Their Own BAAs
Under 45 CFR § 164.308(b)(2), business associates must get BAAs from subcontractors who touch PHI. How the chain works.
Read more →BAA Process Guide
Can You Sign a HIPAA BAA Electronically?
Yes — under ESIGN and UETA. DocuSign, Adobe Sign, and admin console acceptance are all valid. How to document e-signed BAAs.
Read more →BAA Process Guide
What to Do If a Vendor Wants to Backdate a BAA
Backdating is legally and ethically problematic. What to do instead, and how to properly document a retroactive BAA gap.
Read more →Specialty & Vertical Guides
BAA requirements specific to your type of practice or business — covered entities and business associates.
Vertical Guide
HIPAA BAA for Chiropractors
Covered entity obligations — EHR, billing companies, imaging systems, and IT providers all require BAAs regardless of practice size.
Read guide →Vertical Guide
HIPAA BAA for Optometry
Optometrists are covered entities — EHR, imaging, billing, and patient recall vendors all require BAAs for clinical PHI.
Read guide →Vertical Guide
HIPAA BAA for Pharmacies
Pharmacies are HIPAA covered entities. Pharmacy management software, PBM interfaces, and delivery vendors require BAAs.
Read guide →Vertical Guide
HIPAA BAA for Home Health Agencies
Home health agencies face unique BAA challenges with field staff mobile apps, telehealth platforms, and subcontractor caregiver relationships.
Read guide →Vertical Guide
HIPAA BAA for FQHCs
Federally Qualified Health Centers have the same covered entity BAA obligations as private practices, plus 340B vendor considerations.
Read guide →Vertical Guide
HIPAA BAA for Urgent Care Clinics
Urgent care clinics serving occupational health and direct patients require BAAs for EHR, billing, imaging, and kiosk vendors.
Read guide →Vertical Guide
HIPAA BAA for Nursing Homes & SNFs
Long-term care facilities use broad vendor ecosystems — EHR, pharmacy, therapy, activity software, and family portals all require BAAs.
Read guide →Vertical Guide
HIPAA BAA for Hospice Providers
Hospice agencies handle sensitive end-of-life PHI. Volunteer management and bereavement platforms create overlooked BAA requirements.
Read guide →Vertical Guide
HIPAA BAA for Digital Health Companies
Digital health companies are typically business associates — they must sign BAAs for clients AND get sub-BAAs from their own cloud and analytics vendors.
Read guide →Vertical Guide
HIPAA BAA for Healthtech Startups
Two-sided BAA obligations: sign BAAs with healthcare clients AND get BAAs from cloud, analytics, and LLM vendors touching PHI.
Read guide →Vertical Guide
HIPAA BAA for Nurse Practitioners
Independent NPs operating their own practices have the same covered entity BAA obligations as physician-owned practices.
Read guide →Vertical Guide
HIPAA BAA for Concierge Medicine & DPC
"We don't bill insurance" does not exempt a concierge or DPC practice from HIPAA. BAA requirements apply regardless.
Read guide →Vertical Guide
HIPAA BAA for Dental Service Organizations (DSOs)
DSOs are typically business associates for affiliated practices. Group-level vendor contracts must include BAA coverage for all practices.
Read guide →Vertical Guide
HIPAA BAA for Healthtech Agencies
Software agencies building HIPAA systems are business associates. PHI in Jira tickets, Slack, or error logs creates compliance violations.
Read guide →Vertical Guide
HIPAA BAA for Clinical Laboratories
CLIA-certified labs are HIPAA covered entities. LIS vendors, billing, and reference lab interfaces all require BAAs.
Read guide →Vertical Guide
HIPAA BAA for Dental Labs
Dental labs are business associates — the dental practice must provide the BAA before sharing any patient-identifiable case information.
Read guide →Vertical Guide
HIPAA BAA for Ambulance & EMS Services
EMS agencies are covered entities. EMS software, dispatch platforms, CAD systems, and billing companies all require BAAs.
Read guide →Vertical Guide
HIPAA BAA for Behavioral Health Organizations
Covers HIPAA + 42 CFR Part 2 for mental health and SUD providers. EHR (SimplePractice, TherapyNotes), telehealth, and billing all require BAAs.
Read guide →Vertical Guide
HIPAA BAA for Addiction Treatment Programs
Dual HIPAA + 42 CFR Part 2 compliance for residential, IOP, and MAT clinics. SUD records have stricter confidentiality requirements than standard PHI.
Read guide →Vertical Guide
HIPAA BAA for Group Medical Practices
Multi-provider groups have more complex BAA needs — centralized billing, shared EHRs, and HR vendor records all require separate agreements.
Read guide →Vertical Guide
HIPAA BAA for Radiology & Imaging Centers
PACS vendors, teleradiology services, cloud DICOM storage, and AI diagnostic tools are all business associates. DICOM metadata is PHI.
Read guide →Vertical Guide
HIPAA BAA for Occupational Therapists
OT platforms (WebPT, Fusion, TheraOffice), billing, and telehealth require BAAs. School-based OT involves FERPA/HIPAA distinctions.
Read guide →Vertical Guide
HIPAA BAA for Speech-Language Pathologists
SLP documentation platforms, teletherapy tools, and AAC cloud sync all create BAA requirements. School-based FERPA/HIPAA boundary explained.
Read guide →Vertical Guide
HIPAA BAA for Healthcare Staffing Agencies
Staffing agencies are business associates for hospitals AND need BAAs with their own credentialing, ATS, and background check vendors.
Read guide →Vertical Guide
HIPAA BAA for Medical Transcription Services
Traditional and AI transcription vendors (Nuance DAX, Suki, Abridge) are business associates. Audio file cloud storage also requires a BAA.
Read guide →Vertical Guide
HIPAA BAA for Health Plans & Health Insurers
TPAs, PBMs (CVS Caremark, Express Scripts), utilization management, and data analytics vendors all require BAAs with health plans.
Read guide →Vertical Guide
HIPAA BAA for Mental Health Apps
Consumer vs. clinical app HIPAA analysis. Apps used as part of a clinical relationship need BAAs with cloud, analytics, and telehealth vendors.
Read guide →Vertical Guide
HIPAA BAA for Remote Patient Monitoring Programs
RPM platform vendors are business associates. Device cloud connectivity creates BA relationships; cellular carriers are generally exempt (conduit rule).
Read guide →Vertical Guide
HIPAA BAA for Revenue Cycle Management Companies
RCM firms are BAs to covered entities and need BAAs with their own subvendors. Includes Change Healthcare breach (2024) context.
Read guide →HIPAA Concepts & Compliance
Foundational HIPAA concepts every covered entity and business associate needs to understand.
HIPAA Basics
When Does HIPAA Apply?
Decision guide for covered entity and business associate status. Includes a 7-organization decision table with specific examples.
Read more →HIPAA Basics
Covered Entity vs. Business Associate: What's the Difference?
CE definition, BA definition, subcontractor BA chain, and hybrid entities — with a comparison table covering enforcement mechanisms.
Read more →HIPAA Basics
Do I Need to Comply with HIPAA?
Structured decision framework for determining HIPAA applicability. Consumer apps, employers, and non-clinical tech are generally not covered entities.
Read more →HIPAA Concepts
HIPAA Authorization vs. BAA: Key Differences
Patient authorization (45 CFR § 164.508) vs. vendor BAA (45 CFR § 164.504) — completely different instruments. Comparison table included.
Read more →HIPAA Concepts
HIPAA Data Use Agreement vs. BAA
DUA covers Limited Data Sets (16 of 18 identifiers removed). BAA covers fully identifiable PHI. These are not interchangeable.
Read more →HIPAA Concepts
HIPAA Minimum Necessary Standard and BAAs
45 CFR § 164.502(b) applies to BA disclosures. BAAs should reflect data minimization; treatment disclosures are exempt from minimum necessary.
Read more →BAA Templates
Free HIPAA BAA Template
What every compliant BAA must include per 45 CFR § 164.504(e). HHS model limitations explained. Free customizable template via BAA Generator.
Read more →BAA Templates
HIPAA BAA Template for SaaS Vendors
SaaS-specific BAA considerations: data portability at termination, subprocessor chain, and how to review a vendor-provided SaaS BAA.
Read more →BAA Templates
HIPAA BAA Template for Telehealth Vendors
Session recording clauses, post-COVID waiver expiration, and telehealth-specific BAA requirements for video, scheduling, and messaging platforms.
Read more →BAA Process
10 Common HIPAA BAA Mistakes (and How to Avoid Them)
Missing BAA, outdated pre-2013 template, no subcontractor clause, accepting vendor BAAs without review — the 10 most common compliance failures.
Read more →BAA Clauses
HIPAA BAA Breach Notification Clause Requirements
Statutory 60-day requirement under 45 CFR § 164.504(e)(2)(ii)(C). Why most BAAs negotiate 5–30 day contractual windows instead.
Read more →BAA Clauses
HIPAA BAA Permitted Uses and Disclosures Clause
The closed-list principle — any use not listed in the BAA is prohibited. Secondary marketing use restrictions and vendor red flags explained.
Read more →BAA Clauses
HIPAA BAA Indemnification Clauses Explained
Mutual vs. one-sided indemnification, liability caps, and what to watch for when reviewing a vendor-provided BAA's indemnification terms.
Read more →BAA Process
HIPAA BAA for International Vendors
HIPAA has no geographic exemption. Offshore vendors handling PHI must sign BAAs. EU vendors may also need a GDPR DPA alongside the BAA.
Read more →BAA Process
Can One BAA Cover Multiple Vendors?
No — BAAs are bilateral contracts. A single BAA cannot cover multiple unrelated vendors. Parent/subsidiary exception and framework agreements explained.
Read more →BAA Fundamentals
Everything you need to understand about HIPAA Business Associate Agreements.
BAA Basics
What Is a Business Associate Agreement?
A plain-language breakdown of what a BAA is, why HIPAA requires it, and what happens if you operate without one.
Read more →Compliance
When Do You Need a HIPAA BAA?
Not every vendor relationship requires a BAA. Learn which business relationships trigger the requirement under HIPAA.
Read more →Requirements
HIPAA BAA Requirements: What Must Be Included
A clause-by-clause walkthrough of what 45 CFR § 164.504(e) requires in every compliant Business Associate Agreement.
Read more →Contracts
BAA vs. NDA: What's the Difference?
Many healthcare vendors confuse NDAs with BAAs. Here's why an NDA alone doesn't satisfy HIPAA — and what you need instead.
Read more →Checklist
HIPAA Compliance Checklist for Small Practices
A practical checklist covering BAAs, security risk assessments, workforce training, and other HIPAA must-haves for small healthcare organizations.
Read more →Tools
Best HIPAA BAA Generators in 2026 (Free and Paid, Ranked)
The best HIPAA Business Associate Agreement generators in 2026, ranked by price, output quality, HHS alignment, and ease of use.
Read more →Vendor Research
Does Your Vendor Sign a HIPAA BAA?: Complete Vendor List
BAA availability for Google Workspace, Zoom, AWS, Slack, Microsoft 365, DocuSign, Dropbox, Stripe, Mailchimp, HubSpot, and more.
Read more →AI & HIPAA
HIPAA BAA for AI Vendors: Which AI Tools Sign a BAA?
OpenAI, Anthropic, Google Cloud, Azure OpenAI, AWS Bedrock, and more — plan tiers, conditions, and what to do when a vendor won't sign.
Read more →