DEV Community

Jordan Vance
Jordan Vance

Posted on

HIPAA BAA gotchas in 2026: the SaaS tools that only sign on Enterprise

#hipaa #compliance #saas #security

If you handle protected health information, the single document that decides whether a SaaS tool is allowed to touch it is the Business Associate Agreement. No BAA, no PHI. It doesn't matter how good the vendor's SOC 2 report is or how many times the marketing page says "enterprise-grade security." Under HIPAA, if the vendor hasn't signed a BAA with you, putting a patient's name in that tool is a violation.

The part nobody tells you up front: a lot of the tools your team already runs on will sign one, but only if you're on the right plan. And the plan they want you on is usually the one with a "Contact Sales" button instead of a price.

I maintain a directory that tracks BAA availability across 105 of the SaaS tools developers and ops teams actually use. After going vendor by vendor through the published terms, the distribution is blunt:

  • 27 of 105 will sign a BAA on a standard paid plan (sometimes any paid plan).
  • 57 of 105 gate it. They'll sign, but only on a specific, usually higher, tier.
  • 21 of 105 won't sign at all, on any plan, including Enterprise.

So more than half the tools in common use put the BAA behind a plan wall, and a fifth slam the door entirely. Here are the three traps that catch teams, with named examples and the exact gotcha for each.

Trap 1: the Enterprise-only wall

This is the big one. Of the 57 plan-gated tools, roughly 40 reference Enterprise as the gate, and about 17 are Enterprise-and-nothing-else. A few you've almost certainly got open in another tab right now:

  • Notion signs a BAA only on the Enterprise plan, and Beta Services are explicitly excluded from coverage, which matters if you've turned on anything new.
  • Slack says you "must be using a Slack Enterprise plan" (Enterprise Grid) to be covered. Pro and Business+ are not named on the HIPAA page, which means a team on Business+ has no BAA and no obvious sign that they don't. (I keep the cited details and the third-party-app caveat on the Slack BAA page. Slack's own BAA doesn't cover third-party apps you install, which is its own quiet gap.)
  • Box has signed BAAs since 2013, but only on Enterprise, Enterprise Plus, or Enterprise Advanced. The lower tiers have identical security controls and still can't execute a BAA. The wall is contractual, not technical.
  • HubSpot only signs once you're on an Enterprise tier and have enabled its Sensitive Data feature.

The pattern: the security is the same across tiers. What changes at Enterprise is the legal willingness to take on Business Associate liability. That's a procurement and budget problem wearing a security badge, and you want to know it before you've built a workflow on the Business plan.

Trap 2: "paid, but not the way you think"

Not every gate is Enterprise. Some vendors will sign on a mid-tier paid plan, which is good news, but the fine print hides in which plan and which country.

  • Dropbox signs electronically through the admin console on Standard, Advanced, Business, and Business Plus, but not free, Plus, or Family. Two more catches: the self-service BAA is US-only, and signing it disables reseller support. Dropbox Sign needs its own separate BAA on top.
  • Zoom covers paid healthcare customers across Pro, Business, Business Plus, and Enterprise. Free accounts are out. And the BAA itself is US-only: customers with a Canadian billing address get a Personal Health Information Annex (PHIA) for PHIPA/PIPEDA instead.
  • Google Workspace offers a BAA to any paid Workspace/Cloud Identity customer through the Admin console, but it covers only the services on Google's HIPAA Included Functionality list. Consumer Gmail is never covered.

Cloud storage is the cleanest illustration of how much the tier and geography matter. Dropbox and Box look interchangeable until you line up who can actually sign, on which plan, in which country. I put them side by side on the cloud storage comparison so you can see the gate before you commit a migration to it.

The lesson here is to read the mechanism, not just the yes/no. "We sign a BAA" can mean a self-serve toggle in the admin console (Dropbox) or a sales call and a higher SKU (Box). Those are very different timelines when you're trying to ship.

So plan for the slow path. If the gate is a sales motion, the BAA is the long pole in your launch, not an afterthought you handle the week before go-live.

Trap 3: never, on any plan

Twenty-one tools won't sign, and some of them are surprising because they feel like infrastructure:

  • Calendly does not sign a BAA on any plan, including Enterprise.
  • Mailchimp (Intuit) won't either. Its Acceptable Use Policy bars importing regulated sensitive data.
  • Stripe does not act as a Business Associate for its core payments platform and states PHI may not be processed through it. Being PCI Level 1 for cardholder data is not a HIPAA substitute, which is a confusion I see constantly.
  • Figma, Miro, Canva, Zapier, Shopify, and Google Analytics (GA4) round out the no-BAA list.

If a tool sits in this bucket, no amount of configuration makes it compliant for PHI. The only safe moves are to keep PHI out of it entirely or to find a vendor that will sign. Worth flagging: a couple of these verdicts (Calendly especially) rest on terms that vendors quietly change, so re-confirm directly before you rely on a "no."

The scope gotchas that bite after you've signed

Getting the signature isn't the finish line. The BAA usually covers less than the whole product:

  • Twilio signs a Business Associate Addendum, but only on Security or Enterprise Edition, and only HIPAA-Eligible Products may carry PHI. The eligible-products list lives on a separate doc that changes over time.
  • Notion's BAA excludes Beta Services, so the shiny new feature may be out of scope the day you turn it on.
  • Slack's BAA doesn't extend to third-party apps you install into the workspace; each of those needs its own agreement.

So "the vendor signed a BAA" and "this specific feature is in scope for PHI" are two different facts. Always pull the included/excluded list.

A short checklist for actually getting one

  1. Find the gate first. Before you build anything, confirm which plan signs and whether it's self-serve or a sales motion. The tier requirement is the long-lead item.
  2. Get the mechanism right. Admin-console toggle, billing add-on, or sales call: each has a different timeline. Don't assume "Enterprise" means "instant."
  3. Read the scope list. HIPAA-eligible products, excluded beta features, third-party apps, and geography (US-only is common) are all standard ways the coverage is narrower than the product.
  4. Re-verify the "no" answers. Vendors change terms without announcing it. A "won't sign" from six months ago may have flipped, in either direction.
  5. Keep PHI out of the no-BAA tools entirely. Configuration cannot fix a missing agreement.

None of this is exotic. It's just tedious to chase across 105 different help-center pages, each of which words it differently and updates on its own schedule. If it's useful, the full directory (every vendor's BAA status, the cited source, the plan tier, and the step-by-step request path) lives at baa-atlas.vercel.app, last verified end of May 2026. Every claim above is pulled from a vendor's own published terms; where a verdict leans on a third-party source, the directory says so.

Top comments (0)