When you bolt a health feature onto an existing product, the BAA question tends to surface late — usually after Stripe is already wired in for billing, Calendly handles intake scheduling, and a couple of Zaps glue the rest together. The reflex is "we'll just move to the enterprise plan and sign their BAA when we need to."
For a lot of mainstream tools, that plan doesn't exist. They don't sign a Business Associate Agreement on any tier, and their Acceptable Use Policy bans PHI outright. No upgrade path, no exception.
I maintain a small directory that tracks BAA availability per vendor (this batch re-checked end of May 2026). Out of 105 SaaS tools, 21 are a flat "no — at any price." Here are the ones teams reach for most by reflex:
| Tool | Category | What their own policy says |
|---|---|---|
| Stripe | Payments | "may not be used to process PHI" — leans on the HIPAA payment-processing exemption instead |
| Calendly | Scheduling | No BAA on any plan, including Enterprise |
| Zapier | Automation | Its docs state regulated PHI "is not supported on Zapier" |
| Figma | Design | AUP explicitly prohibits uploading PHI |
| Shopify | E-commerce | AUP lists PHI as a "business activity not supported" |
| Mailchimp | Email marketing | No BAA on any plan; AUP bars regulated sensitive data |
| Trello | Kanban | Omitted from Atlassian's HIPAA-qualified product list |
| Google Analytics (GA4) | Web analytics | No BAA; sending PHI to GA is a recurring OCR enforcement theme |
| Hotjar | Session replay | No BAA — and session replay captures whatever's on screen |
| Klaviyo / SendGrid / Postmark / Brevo | Transactional & marketing email | No BAA on standard plans |
| Pipedrive | CRM | No BAA offered |
| Webflow / Squarespace | Site builders | No BAA |
| Retool / Basecamp / Miro / Loom / Canva / QuickBooks | Misc | No BAA on any tier |
A pattern shows up once you list them: the "no" cluster is concentrated in payments, marketing email, analytics/session-replay, and design/collaboration. The tools that do sign tend to be infrastructure (AWS, GCP, Azure) and the big productivity suites (Google Workspace, M365) — but usually only on a specific paid tier, which is its own trap for another post.
Two things I'd flag if you're architecting around this:
1. "Enterprise plan" is not a synonym for "BAA available." Check before you design the data flow, not after. For the 21 above there's nothing to upgrade to.
2. The exemption traps bite quietly. Stripe's "no" is genuinely fine — if you keep PHI out of every field, metadata key, invoice memo, and webhook payload. The moment a diagnosis code lands in an invoice description, you're processing PHI through a vendor with no BAA to fall back on. Same shape with analytics: a URL like /patient/12345/lab-results shipped to GA4 is PHI in a querystring.
The full list — 105 vendors, with the per-vendor policy language and a link to each trust center — is here if it's useful: BAA Atlas vendor directory. The individual verdicts spell out the carve-outs: Stripe, Calendly, Zapier, Figma.
And the one piece you can't hand to any vendor BAA: your own §164.308(a)(1)(ii)(A) risk analysis. If you want a fast self-check instead of a blank Word template, there's a free one here: HIPAA Security Risk Assessment.
How do you all handle the "vendor won't sign" case in practice — swap the tool out, or wall the PHI off into a separate BAA-covered system and keep the convenient tool for everything non-PHI? Curious what's actually held up in an audit.
Top comments (0)