Does Amplitude Sign a HIPAA Business Associate Agreement?
By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 5 min read
Key Takeaways
- ✓ Yes — Amplitude signs a HIPAA BAA for Enterprise plan customers
- ✓ Free Starter and Plus plans do not qualify — Enterprise (custom pricing) is required
- ✓ Product analytics events can capture PHI through event properties — strip PHI before sending to Amplitude
- ✓ Even with a BAA, Amplitude recommends minimizing PHI in analytics events as a best practice
Amplitude is a leading product analytics platform used by digital health apps, patient portals, and healthtech companies to understand how users engage with their products. When those products handle protected health information — such as symptom tracking features, medication management flows, or telehealth scheduling — compliance with HIPAA becomes essential for any analytics tool in the stack.
Amplitude Plan Coverage for HIPAA BAA
| Plan | Price | BAA Available? |
|---|---|---|
| Starter (Free) | Free | No BAA |
| Plus | $61/month | No BAA |
| Growth | Custom pricing | BAA available on request |
| Enterprise | Custom pricing | Yes — BAA included |
Only the Enterprise plan guarantees HIPAA BAA availability. If you are a healthtech startup on the Starter or Plus plan, you should not be sending any PHI to Amplitude without first upgrading and executing a BAA.
Why Product Analytics Can Involve PHI
Many engineering teams assume analytics events are inherently anonymous, but product analytics platforms can receive PHI in several ways:
- Event properties — if you pass properties like
condition_searched,medication_name, orsymptom_categoryin your event tracking calls, those values may constitute PHI - User properties — if you set user properties such as
diagnosis,insurance_type, orage_groupcombined with a user ID, this can create a PHI-linked profile - Page URL tracking — URLs that include patient identifiers, appointment IDs, or condition codes can send PHI automatically via auto-capture features
- Identify calls — if you identify users with real email addresses or names in combination with health-related user attributes, that combination is PHI
Amplitude recommends stripping all PHI from events before they are sent. This is good practice regardless of whether you have a BAA — but if any PHI enters Amplitude's systems, a BAA is legally required.
How to Get a HIPAA BAA from Amplitude
Amplitude's BAA is available through their Enterprise plan. To obtain a BAA:
- Contact Amplitude sales and request an Enterprise plan quote for a HIPAA-eligible configuration
- During the Enterprise sales process, request the HIPAA Business Associate Agreement addendum
- Your Amplitude account manager or legal team will provide the BAA for mutual execution
- After executing the BAA, work with Amplitude's customer success team to implement proper data governance controls
Amplitude's BAA is a standard addendum to the Enterprise service agreement. The BAA process is straightforward for Enterprise customers — the main requirement is being on the qualifying plan tier.
What Happens If You Use Amplitude Without a BAA?
If your health app or patient portal sends PHI to Amplitude without an executed BAA, you are in violation of HIPAA's Business Associate provisions. This can result in:
- Significant civil monetary penalties from HHS's Office for Civil Rights (OCR)
- Mandatory corrective action plans and audits
- Breach notification obligations if the data is later compromised
- Reputational damage with patients and partners
The violation begins the moment PHI enters Amplitude's systems without a BAA — not just if a breach occurs. Proactively auditing your analytics events for PHI is essential before going live with any health application.
For a broader look at which vendors provide HIPAA BAAs, see our vendor BAA lookup guide. If you are a healthtech startup evaluating your entire vendor stack, see our Mixpanel HIPAA BAA guide for a comparable analytics platform comparison.
Frequently Asked Questions
Does Amplitude sign a HIPAA BAA?
Yes — Amplitude signs a HIPAA Business Associate Agreement for Enterprise plan customers. The Growth plan may also offer a BAA on request. Free Starter and Plus plans do not qualify for HIPAA coverage.
Can Amplitude analytics contain PHI?
Yes — event properties, user properties, and URL tracking in Amplitude can capture PHI if not properly filtered. Amplitude recommends stripping all PHI before sending events. If any PHI reaches Amplitude's servers, a signed BAA is required.
Which Amplitude plan includes a BAA?
The Enterprise plan (custom pricing) guarantees HIPAA BAA availability. The Growth plan may offer a BAA on request. The Starter (free) and Plus ($61/month) plans do not include HIPAA BAA support.
How does Amplitude compare to Mixpanel for HIPAA?
Both Amplitude and Mixpanel offer HIPAA BAAs at their enterprise tiers. Both recommend stripping PHI from analytics events as a baseline practice. The decision between them for healthcare applications typically comes down to product features, existing integrations, and pricing — not HIPAA eligibility, as both can be made compliant at enterprise scale.
Need a BAA for your Amplitude integration?
Generate a HIPAA-compliant Business Associate Agreement in minutes — covers all vendor types, free to start.
Generate Your BAA Free →