Does Your Vendor Sign a HIPAA BAA?
By BAA Generator Research Team · Updated Apr 19, 2026 · Last reviewed Apr 27, 2026 · 4 min read
Quick Answer
Most major cloud platforms sign HIPAA BAAs — but only on paid or enterprise plans. Free tiers of Google, Zoom, Slack, and Dropbox are not HIPAA eligible. Stripe does not sign a BAA at any tier. Use the table below to check your vendor, then follow the linked guide for how to execute the BAA for that specific service.
One of the most common compliance gaps in healthcare organizations is using software tools that either don't offer a HIPAA BAA or haven't had one executed. Below is a reference table for the most frequently asked-about vendors, with links to detailed guides for each one.
Vendor BAA Availability at a Glance
| Vendor | Signs a BAA? | Qualifying plan | Full guide |
|---|---|---|---|
| Google Workspace | Yes | All paid Workspace plans (Business Starter+) | Read guide → |
| Microsoft 365 | Yes | All paid commercial plans (Business Basic+) | Read guide → |
| Zoom | Paid plans only | Zoom for Healthcare or Business/Enterprise with HIPAA enabled | Read guide → |
| AWS | Yes | All commercial accounts via AWS Artifact | Read guide → |
| Slack | Enterprise only | Enterprise Grid plan only | Read guide → |
| Dropbox | Business plans only | Dropbox Business and Business Plus | Read guide → |
| DocuSign | Business Pro+ | Business Pro and Enterprise plans | Read guide → |
| Stripe | No | Not available at any tier | Read guide → |
| Mailchimp | No | Not available | Read guide → |
| HubSpot | Enterprise only | Enterprise tier with BAA addendum | Read guide → |
| Salesforce | Health Cloud only | Health Cloud and healthcare-specific products only | Read guide → |
| Calendly | Teams / Enterprise | Teams ($20/seat/mo) and Enterprise plans | Read guide → |
| Notion | No | Not available on any plan | Read guide → |
| OpenAI / ChatGPT | API + Enterprise | API and ChatGPT Enterprise only — Free/Plus not eligible | Read guide → |
| Anthropic / Claude | API + Enterprise | Claude Enterprise and qualifying API customers only | Read guide → |
| Microsoft Azure | Yes | All commercial accounts via Online Services Terms | Read guide → |
| Google Cloud (GCP) | Yes | All commercial accounts via Cloud Console | Read guide → |
| Twilio | Via sales team | Healthcare customers via Twilio sales — not self-service | Read guide → |
| SendGrid | Via Twilio BAA | Covered under Twilio's enterprise BAA for qualifying customers | Read guide → |
| Square | No standard BAA | No standard BAA — contact Square for Healthcare use cases | Read guide → |
| Acuity Scheduling | Powerhouse plan | Powerhouse plan only ($45/mo) | Read guide → |
| Intercom | No | Not available on any plan | Read guide → |
| Typeform | No | Not available on any plan | Read guide → |
| JotForm | HIPAA plan | Dedicated HIPAA plan (~$39/mo) | Read guide → |
| Zapier | No | Not available — breaks PHI compliance chain | Read guide → |
| Epic | Yes | Included in standard implementation agreement | Read guide → |
| Cerner / Oracle Health | Yes | Included in standard implementation agreement | Read guide → |
Why Vendor BAA Status Matters
Every vendor in your stack that creates, receives, maintains, or transmits patient PHI on your behalf is a business associate under HIPAA. Using a vendor that doesn't offer a BAA — or using a free tier of a vendor that does — is a HIPAA violation, regardless of whether any patient data is ever breached.
The HHS Office for Civil Rights has cited missing BAAs as one of the most frequently identified HIPAA compliance deficiencies in its audit program. The fact that a vendor's platform is technically secure does not substitute for the absence of a signed agreement.
What to Do When Your Vendor Doesn't Offer a BAA
If a vendor you're currently using doesn't offer a HIPAA BAA:
- Stop sending PHI to that vendor immediately until you've resolved the compliance gap.
- Identify an alternative vendor who offers a BAA for the same function.
- Restructure the engagement so the vendor never accesses PHI — this is only viable if the service can be delivered without any patient data.
For more detail, see our guide: What to Do When a Vendor Won't Sign a HIPAA BAA.
What to Do When Your Vendor Offers a BAA but You Haven't Signed One
If you're using a vendor that offers a BAA — Google Workspace, Microsoft 365, AWS, etc. — but haven't executed the agreement yet, the steps are typically:
- Log in to the vendor's admin console or compliance portal.
- Locate the HIPAA or BAA section (usually under Security, Legal, or Compliance settings).
- Accept or sign the vendor's standard BAA.
- Save a copy of the executed agreement in your compliance records.
For vendors who don't have a self-service BAA and expect you to provide one, use BAA Generator to create a HIPAA-compliant agreement you can send for countersignature.
Generate a compliant BAA in 5 minutes
HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word
No subscription · PDF + Word · Free watermarked preview