Does Zapier Sign a HIPAA Business Associate Agreement?
By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read
Key Takeaways
- ✗ No — Zapier does not sign a HIPAA BAA on any plan, including Enterprise
- ✗ Routing PHI through Zapier breaks HIPAA compliance even if both connected apps have BAAs
- ✓ Microsoft Power Automate (covered under M365 BAA) is the leading HIPAA-eligible alternative
- ✓ Workato offers BAAs for enterprise healthcare automation use cases
Why Zapier Cannot Route PHI
Zapier is one of the most popular automation platforms, connecting thousands of apps through "Zaps" — automated workflows that trigger actions across systems. Healthcare organizations often want to use Zapier to automate workflows between their tools: patient intake form → CRM → scheduling system → EHR.
The fundamental problem: Zapier sits in the middle of every data transfer. When PHI flows from App A through Zapier to App B, Zapier receives, processes, and temporarily stores that PHI data. This makes Zapier a Business Associate under HIPAA.
Since Zapier will not execute a BAA, any PHI that passes through a Zap is in violation of HIPAA — regardless of whether App A and App B both have executed BAAs with your organization.
The "Both Apps Have BAAs" Misconception
This is one of the most common compliance misunderstandings in healthcare technology:
"I use Google Workspace (which has a BAA) and Salesforce Health Cloud (which has a BAA). My Zap connects them. Both apps are covered, so I'm fine."
This reasoning is incorrect. The HIPAA chain of custody requires a BAA with every entity that touches PHI. Zapier touches PHI when routing data between the two apps. The BAAs with Google and Salesforce do not extend to Zapier. You would need a separate BAA with Zapier — which Zapier will not sign.
HIPAA-Compliant Automation Alternatives to Zapier
| Automation Tool | HIPAA BAA Available? | Notes |
|---|---|---|
| Microsoft Power Automate | Yes | Covered under Microsoft's BAA (qualifying M365/Azure plans) |
| Workato | Yes (Enterprise) | Offers BAA for enterprise healthcare customers |
| Mulesoft (Salesforce) | Yes (with BAA) | Enterprise integration platform; BAA available |
| Native EHR integrations | Yes (typically) | Built-in integrations stay within BAA-covered ecosystem |
| Zapier | No | Not HIPAA eligible; no BAA on any plan |
How to Audit Your Current Zapier Zaps for PHI Risk
If your healthcare organization currently uses Zapier, audit your Zaps immediately for PHI exposure:
- List all active Zaps in your organization's accounts
- Identify which Zaps involve apps that contain PHI (EHR data, patient scheduling, practice management)
- Determine whether the data field being transferred could constitute PHI (patient names, dates, health identifiers)
- Disable or rearchitect any Zaps that route PHI
- Replace PHI-routing Zaps with Microsoft Power Automate or native app integrations
Frequently Asked Questions
Does Zapier sign a HIPAA BAA?
No — Zapier does not sign a HIPAA BAA on any plan, including Enterprise. Do not route PHI through Zapier workflows.
Can I automate HIPAA workflows with Zapier?
No — not for any workflow that involves PHI. Even workflows connecting two apps that each have BAAs cannot route PHI through Zapier, because Zapier itself is not covered by a BAA.
What HIPAA-compliant alternatives to Zapier exist for healthcare automation?
Microsoft Power Automate (covered under Microsoft's BAA) is the most accessible alternative. Workato offers enterprise BAAs for complex healthcare automation. Native integrations within EHR and health IT platforms are also HIPAA-safe options.
For a broader look at which vendors sign HIPAA BAAs, see our vendor BAA lookup guide.
Need to generate a BAA for a vendor that does sign?
When you switch to a HIPAA-compliant automation tool, generate your BAA document in minutes.
Generate BAA for Free →