Does FullStory Sign a HIPAA Business Associate Agreement?
By BAA Generator Research Team · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 4 min read
Key Takeaways
- ✓ Yes — FullStory signs a HIPAA BAA for Enterprise plan customers
- ✓ Session replay tools are extremely high-risk for PHI capture — FullStory can record form inputs, keystrokes, and page content
- ✓ A BAA alone is insufficient — FullStory's privacy masking rules must be configured to block health-related fields
- ✓ Free and Business plans do not qualify for HIPAA BAA coverage
FullStory is a digital experience intelligence platform that provides session replay, heatmaps, product analytics, and user behavior tracking. Healthtech companies use FullStory to understand how patients and providers navigate their applications — but the same technology that makes FullStory powerful also makes it uniquely dangerous for PHI exposure. Session replay tools can capture virtually everything a user does on a page, including health information they type into forms.
FullStory Plan Coverage for HIPAA BAA
| Plan | BAA Available? | Notes |
|---|---|---|
| Free | No BAA | Not suitable for any health application with PHI |
| Business | No BAA standard | Custom pricing; BAA not included |
| Enterprise | Yes — BAA available | Custom pricing; request BAA through FullStory sales |
Why Session Replay Tools Are the Highest-Risk Vendor Category for PHI
Most analytics tools receive data that you explicitly send to them — you control what events and properties are tracked. Session replay tools like FullStory work differently: they capture a near-complete recording of what happens in the browser, including:
- Keystroke-level recording — FullStory can record every character typed into a form field unless that field is explicitly masked
- Form inputs — health conditions, symptoms, medications, dates of birth, insurance IDs, and any other information entered by the user
- Page content — text displayed on the page, including clinical notes rendered in a portal, lab results, or diagnoses shown to the user
- URL and navigation data — page URLs that include patient IDs, appointment IDs, or condition codes embedded in the path
- Dynamic content — content loaded via API calls and rendered into the DOM is captured, including data fetched from your backend
HHS's Office for Civil Rights has specifically flagged session replay and tracking pixel technologies as PHI risk vectors in healthcare settings. Using these tools without a BAA and proper configuration is a high-profile compliance failure mode.
How to Get a HIPAA BAA from FullStory
FullStory's BAA is available through their Enterprise plan:
- Contact FullStory sales and request an Enterprise plan for a HIPAA-eligible configuration
- Specify that you are a healthcare application requiring a HIPAA BAA
- FullStory will provide the BAA addendum for execution as part of the Enterprise agreement
- After executing the BAA, work with your engineering team to configure FullStory's privacy API and element exclusion rules to block all health-related form fields and content
Configuring FullStory for HIPAA: Privacy Masking Requirements
Executing a BAA without configuring privacy masking creates false confidence. FullStory's privacy controls must be implemented at the engineering level:
- Apply
data-fs-maskordata-fs-excludeattributes to all input fields that can capture PHI — this includes symptom fields, medication fields, diagnosis inputs, and any form field in a clinical workflow - Exclude entire page sections (e.g., a patient portal's "My Health" section) using FullStory's element exclusion API when those sections display PHI
- Mask text content on pages that render clinical data, lab results, or patient-specific health information
- Audit masking configuration regularly as your application evolves — new features may introduce new PHI exposure points
- Test session replay recordings in a staging environment to verify that PHI is not captured before deploying to production
For a comparison of session replay tools and their HIPAA eligibility, see our Hotjar HIPAA BAA guide. For healthtech startups building compliant analytics stacks, see our HIPAA BAA guide for healthtech startups.
Frequently Asked Questions
Does FullStory sign a HIPAA BAA?
Yes — FullStory signs a HIPAA BAA for Enterprise plan customers. Free and Business plans do not qualify. Request the BAA through FullStory sales as part of your Enterprise agreement.
Can FullStory session replays capture PHI?
Yes — FullStory can record keystrokes, form inputs, and page content that contain PHI if privacy masking is not configured. Health conditions, medications, symptoms, and other sensitive data entered or displayed on a page are at risk. Privacy masking rules must be configured to block PHI capture, and this configuration must be audited regularly.
Which FullStory plan includes a BAA?
FullStory's HIPAA BAA is available for Enterprise plan customers only. The free plan and Business plan do not qualify for HIPAA BAA coverage. Contact FullStory sales for an Enterprise quote.
How do I configure FullStory to be HIPAA compliant?
HIPAA-compliant FullStory use requires an executed Enterprise BAA plus properly configured privacy masking rules using FullStory's privacy API and element exclusion attributes. Apply masking to all health-related form fields and content areas, audit the configuration regularly, and test in staging to verify PHI is not captured before deploying to production.
More vendor BAA guides
Generate a compliant BAA in 5 minutes
HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word
No subscription · PDF + Word · Free watermarked preview