Does GitHub Sign a HIPAA Business Associate Agreement?
By BAA Generator Research Team · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 4 min read
Key Takeaways
- ✓ Yes — GitHub Enterprise customers can obtain a HIPAA BAA via Microsoft's enterprise program
- ✓ Standard GitHub.com plans (Free, Pro, Team) do not include a BAA
- ✓ The BAA is executed through Microsoft's enterprise agreement channel, not directly with GitHub
- ✓ Repos should never contain hardcoded PHI — audit CI/CD logs, test fixtures, and config files too
GitHub is the dominant code repository platform for software development teams, including healthcare engineering organizations building EHR integrations, patient-facing apps, and health data pipelines. Understanding GitHub's HIPAA BAA situation is essential for any development team working in a HIPAA-regulated environment.
GitHub Plan Coverage for HIPAA BAA
| Plan | BAA Available? | Notes |
|---|---|---|
| GitHub Free | No BAA | Public/personal use; not suitable for PHI-related repos |
| GitHub Pro | No BAA | Individual paid plan; no HIPAA coverage |
| GitHub Team | No BAA | Small team plan; no HIPAA coverage |
| GitHub Enterprise Cloud | BAA available via Microsoft | Request through Microsoft enterprise agreement |
| GitHub Enterprise Server | BAA available via Microsoft | Self-hosted; BAA also available through Microsoft |
Why Code Repositories Can Involve PHI
Many engineering teams assume source code repositories are inherently non-PHI environments. This is often wrong. PHI can appear in GitHub in several ways:
- Hardcoded credentials — API keys or tokens that grant access to PHI data stores accidentally committed to repositories
- CI/CD pipeline logs — automated test or deployment logs that print patient IDs, error messages with health data, or API responses containing PHI
- Test data fixtures — sample patient records used in automated tests that contain real or realistic PHI
- Configuration files — database connection strings, environment files, or infrastructure-as-code that references PHI environments
- GitHub Actions secrets and logs — secrets management in GitHub Actions can expose PHI if pipelines process health data and log output
Good security hygiene — using secrets scanners, synthetic test data, and proper log sanitization — reduces PHI exposure. But if any PHI can reach GitHub's servers, a BAA is required.
How to Get a HIPAA BAA for GitHub Enterprise
Because GitHub is owned by Microsoft, the BAA process flows through Microsoft's enterprise compliance program:
- Purchase GitHub Enterprise Cloud or Enterprise Server through a Microsoft Enterprise Agreement (EA) or Microsoft Customer Agreement (MCA)
- Contact your Microsoft account manager and request the HIPAA Business Associate Agreement addendum
- Microsoft provides the BAA as part of their Online Services Terms (OST) for enterprise healthcare customers
- The executed BAA covers GitHub Enterprise services alongside other Microsoft covered services
This process is the same mechanism used for Azure, Microsoft 365, and other Microsoft enterprise services. If your organization already has a Microsoft enterprise agreement with a HIPAA BAA, GitHub Enterprise Cloud may already be covered — verify the specific services listed in your BAA addendum.
What Happens If You Use Standard GitHub Without a BAA?
Using GitHub Free, Pro, or Team plans for repositories that contain or process PHI is a HIPAA violation. The risk is compounded because standard GitHub.com accounts have no controls preventing data from being indexed, cached, or accessed in ways that would violate HIPAA's security requirements. Even private repositories on standard plans are not HIPAA-eligible environments.
Healthcare engineering teams on standard GitHub plans should audit their repositories for PHI immediately and either remediate the exposure or upgrade to an Enterprise plan with a BAA before that PHI remains in GitHub's systems.
For a broader look at which development and SaaS tools sign HIPAA BAAs, see our vendor BAA lookup guide. For healthtech startups evaluating their full compliance vendor stack, see our guide on HIPAA BAAs for healthtech startups.
Frequently Asked Questions
Does GitHub sign a HIPAA BAA?
Yes — GitHub (owned by Microsoft) signs a HIPAA BAA for GitHub Enterprise customers through Microsoft's enterprise agreement channel. Standard GitHub.com plans (Free, Pro, Team) do not include a BAA.
Can GitHub repos contain PHI?
GitHub repositories should never contain hardcoded PHI. However, CI/CD logs, test fixtures, and configuration files can inadvertently capture PHI. If any PHI reaches GitHub's systems, an executed BAA is legally required under HIPAA.
How do I get a HIPAA BAA for GitHub Enterprise?
Contact your Microsoft account manager or the GitHub Enterprise sales team and request the HIPAA BAA addendum through your Microsoft Enterprise Agreement. The BAA is provided under Microsoft's standard healthcare compliance program and covers GitHub Enterprise services.
Is GitHub covered under Microsoft's HIPAA BAA?
Yes — GitHub Enterprise is covered under Microsoft's HIPAA BAA program, the same program covering Azure and Microsoft 365. The BAA is executed through your Microsoft enterprise agreement. Verify that GitHub Enterprise is specifically listed in the covered services of your BAA addendum.
More vendor BAA guides
Generate a compliant BAA in 5 minutes
HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word
No subscription · PDF + Word · Free watermarked preview