Does Mixpanel Sign a HIPAA Business Associate Agreement?

By BAA Generator Editorial  ·  Published Apr 20, 2026  ·  Last reviewed Apr 20, 2026  ·  5 min read

Mixpanel is a leading product analytics platform used by product managers and engineers to understand how users interact with applications. For digital health companies — patient engagement apps, chronic disease management platforms, mental health tools, and telehealth portals — Mixpanel is frequently the first analytics tool deployed. The HIPAA compliance challenge is significant: health app events are rich with potentially sensitive data, and Mixpanel's BAA is gated behind their highest pricing tier.

Mixpanel Plan BAA Coverage

Mixpanel offers a HIPAA BAA exclusively at the Enterprise level. This creates a compliance gap for early-stage digital health companies that start on the Free or Growth plan before understanding their BAA obligations.

Why Product Analytics Is a Hidden PHI Risk in Health Apps

Mixpanel itself advises customers not to send PHI to their platform. Despite this, PHI commonly ends up in product analytics in health apps because product teams instrument events without a thorough PHI review. Examples of PHI-containing events in health apps include:

• Condition tracking events: "Logged symptom: chest pain" or "Updated condition: type 2 diabetes" — when tied to a user ID, this is PHI
• Medication interaction views: "Viewed drug interaction: metformin + ibuprofen" — reveals prescription drug use tied to a user
• Mental health check-ins: Mood tracking, depression screening responses, or crisis escalation events in mental health apps
• Care plan progress: "Completed therapy module: CBT session 3" — reveals treatment history
• User profile properties: identify() calls that include health conditions, medications, or diagnoses as user traits

Even if the event name itself is benign, the combination of event metadata, user identifiers, and context can create PHI in aggregate.

How to Get a HIPAA BAA from Mixpanel

Obtaining a BAA from Mixpanel requires the Enterprise plan:

1. Contact Mixpanel sales and request an Enterprise plan quote for your organization
2. During contract discussions, explicitly request a HIPAA BAA
3. Mixpanel will provide a BAA for review and counter-signature
4. Retain the signed BAA as part of your vendor compliance documentation

After executing the BAA, review your Mixpanel SDK implementation to scrub PHI from all event properties, user traits, and identify calls. The goal is to use the BAA as a backstop — not as a license to send unrestricted health data to an analytics platform. For context on related tools, see our guide on whether Segment signs a HIPAA BAA and our resource on BAA requirements for healthtech startups.

What Happens If You Use Mixpanel Without a BAA?

If health app events containing PHI are sent to Mixpanel without an executed BAA, the covered entity or business associate sending those events is violating HIPAA's business associate provisions. This is true even if the team did not intend to send PHI — accidental inclusion of PHI in event data does not provide a HIPAA safe harbor. Digital health companies undergoing SOC 2 audits, HITRUST certification, or HIPAA compliance reviews routinely identify product analytics as a gap category.

Mixpanel vs. Amplitude: HIPAA BAA Comparison

Both Mixpanel and Amplitude are leading product analytics platforms that restrict HIPAA BAA access to their Enterprise tiers. The compliance decision between the two should not hinge on BAA availability — both require Enterprise plans and explicit BAA requests. The practical differences lie in SDK-level data governance features, the ability to implement PHI scrubbing, and the depth of your account team's healthcare experience. Evaluate both on product analytics capabilities for your specific use case.

Frequently Asked Questions

Does Mixpanel sign a HIPAA BAA?

Yes — but only on the Enterprise plan (custom pricing). Mixpanel's Free plan and Growth plan (~$28/month) do not include a HIPAA BAA. Digital health product teams using Mixpanel to track user behavior in a health app must either upgrade to Enterprise and execute a BAA, or ensure that no PHI is sent to Mixpanel via strict event data governance.

Can Mixpanel analytics data contain PHI?

Yes — product analytics events in a health app can contain PHI. Mixpanel tracks user actions, which in a health context may include condition tracking, symptom logging, medication interaction views, mental health check-in submissions, or other health-related behaviors tied to identifiable users. Mixpanel itself recommends not sending PHI, but if it enters the system, a BAA is required.

Which Mixpanel plan includes a HIPAA BAA?

Only Mixpanel Enterprise (custom pricing) includes a HIPAA BAA. The Free plan and Growth plan (~$28/month) do not. To obtain a BAA from Mixpanel, contact Mixpanel sales for an Enterprise plan quote and request BAA execution through your account manager.

How does Mixpanel compare to Amplitude for HIPAA compliance?

Both Mixpanel and Amplitude are product analytics platforms that restrict HIPAA BAA availability to their Enterprise plans. Both recommend against sending PHI to their platforms. The choice between the two for a HIPAA-covered health app should be driven by product analytics capabilities, data governance features, and PHI scrubbing support at the SDK level — not by BAA availability, which is comparable at the Enterprise tier.