Does Segment (Twilio Segment) Sign a HIPAA Business Associate Agreement?
By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 5 min read
Key Takeaways
- ✓ Yes on Business and Enterprise plans — BAA available via Twilio Segment sales
- ✓ No on Free and Team plans — no BAA; do not use for health apps that handle PHI
- ✓ Clickstream and event data in health apps can easily contain PHI
- ✓ Best practice: execute a BAA AND implement PHI scrubbing as defense-in-depth
Twilio Segment is the dominant customer data platform (CDP) used by product and engineering teams to collect, route, and activate user event data. For digital health companies — patient apps, medication management tools, mental health platforms, and telehealth products — Segment is often the first analytics infrastructure deployed. The compliance challenge is that health app events can contain PHI, and most teams start on plans that provide no BAA coverage.
Segment Plan BAA Coverage
Segment's HIPAA BAA is restricted to Business and Enterprise tiers. Growth-stage startups and teams using the Team plan are not covered.
| Plan | Approx. Price | HIPAA BAA | Notes |
|---|---|---|---|
| Free | $0 | NO | No BAA; do not use for health apps handling PHI |
| Team | ~$120/mo | NO | No BAA at this tier; not suitable for PHI-involved event tracking |
| Business | Custom pricing | YES | BAA available via account manager upon request |
| Enterprise | Custom pricing | YES | BAA included; dedicated compliance support |
Why CDP Event Data Is a Hidden PHI Risk in Health Apps
Customer data platforms like Segment are designed to capture everything — every click, page view, search, and form interaction. In a health app, that granularity creates PHI exposure risk. Examples include:
- Condition searches: A user searching "diabetes management" or "antidepressant dosage" in a health app creates an event that, paired with their user ID, may constitute PHI
- Medication refill events: "Add to cart" or "Refill prescription" events for specific medications reveal treatment information
- Provider lookups: Searching for "cardiologist near me" or "addiction treatment" reveals health status when tied to an identified user
- Symptom tracking submissions: Any form submit event with health-related field values can contain PHI
None of these require a data breach to create HIPAA exposure — simply sending these events to Segment without a BAA violates the business associate requirements.
How to Get a HIPAA BAA from Segment
To obtain a BAA from Twilio Segment:
- Contact Segment sales and request a Business or Enterprise plan
- During contract negotiation, explicitly request a HIPAA Business Associate Agreement
- Segment/Twilio will provide the BAA document for review and counter-signature
- Retain the executed BAA and set a reminder to renew or review when the service agreement expires
Even after executing the BAA, implement PHI scrubbing in your Segment implementation: review every track(), identify(), and page() call to ensure PHI is not being sent in event properties. A BAA is a contractual protection; scrubbing is a technical protection. Use both. See our guide on which vendors sign a HIPAA BAA for a broader vendor comparison.
What Happens If You Use Segment Without a BAA?
Sending PHI to Segment without an executed BAA means you are disclosing PHI to a third party without the required contractual safeguard. This is a HIPAA Privacy Rule violation regardless of whether the PHI was intentionally included in the event payload. Many digital health startups discover this problem only after receiving a compliance audit or investment due diligence questionnaire that asks for a list of all business associates and their BAAs.
Frequently Asked Questions
Does Segment sign a HIPAA BAA?
Yes — Twilio Segment signs a HIPAA BAA on Business and Enterprise plans (both custom pricing). The Free plan and Team (~$120/month) plan do not include a HIPAA BAA. Health app teams using Segment to collect user events must either scrub all PHI from event payloads or upgrade to a Business/Enterprise plan and execute a BAA.
Can Segment event data contain PHI?
Yes — this is a common and frequently overlooked compliance risk in digital health. Segment collects user event data including page views, clicks, form submissions, and custom events. In a health app, these events can contain condition searches, medication refill interactions, symptom tracking entries, provider lookup queries, or other data that constitutes PHI when tied to an identifiable user.
Which Segment plan includes a HIPAA BAA?
Segment's Business plan (custom pricing) and Enterprise plan (custom pricing) include a HIPAA BAA. The Free plan and Team plan (~$120/month) do not. To obtain a BAA from Segment/Twilio, contact Segment sales for a Business or Enterprise plan quote and request BAA execution through your account manager.
How do I handle PHI in Segment for a health app?
Two approaches: (1) Strict PHI exclusion — configure your Segment implementation to never send PHI in event properties, user traits, or identify calls. (2) BAA-backed approach — upgrade to Business or Enterprise, execute a BAA with Segment/Twilio, and implement additional data governance controls. Most digital health companies use both: execute the BAA for contractual coverage and implement PHI scrubbing as defense-in-depth.
Need a BAA for your Segment integration?
Generate a HIPAA-compliant Business Associate Agreement in minutes — covers all vendor types, free to start.
Generate Your BAA Free →