BAA-required vendors most healthcare practices forget about

Why BAAs exist

HIPAA covers two kinds of organizations: covered entities and business associates. Covered entities are healthcare providers, health plans, and clearinghouses. Business associates are vendors that handle PHI on behalf of covered entities — billing companies, EHR vendors, cloud providers, anyone who sees patient data as part of doing their job.

The BAA is the contract between them. It makes the business associate responsible for following HIPAA, even though they're not a covered entity themselves. Without a BAA, a vendor that touches PHI is operating outside the rules and the covered entity is in violation under 45 CFR §164.504(e).

The vendors everyone remembers

Most practices have BAAs in place with the obvious ones: the EHR (Epic, Athenahealth, eClinicalWorks, Kareo), the practice-management system, the billing company, the patient-portal vendor. These are the vendors that actively store PHI as their core function.

The vendors most practices forget

Here's where the gap is. Modern practices use dozens of SaaS tools for marketing, communication, and operations. Most of them see PHI in passing, even when they're not selling themselves as healthcare tools. None of them include a BAA on their basic plan.

Email marketing. Mailchimp explicitly does not allow PHI on its standard plan and has no BAA on any plan. Constant Contact is the same. SendGrid and Klaviyo have BAAs only on enterprise tiers. Most healthcare practices use the free or starter plan because that's what their consultant set up.

Scheduling and forms. Calendly's free and standard plans don't include a BAA. Acuity (now part of Squarespace) requires a specific HIPAA-eligible plan. Typeform's standard plan doesn't include one. JotForm has a HIPAA tier but most embeds we see in the wild are on the basic plan. Google Forms — no BAA, full stop.

Customer support and chat. Intercom requires its Premier tier for a BAA. Drift has no standard BAA. Zendesk requires its Advanced plan. Tidio has no BAA. The free chat widget your front-desk staff put on the homepage almost certainly isn't covered.

Analytics and product tools. Microsoft Clarity is free, which is the tell — there's no BAA. Hotjar requires its Business or Scale tier. FullStory has a BAA only on its enterprise tier. LogRocket the same. Google Analytics 4 default deployment is not BAA-covered. Mixpanel and Amplitude have BAAs only on enterprise tiers.

Productivity and collaboration. Microsoft 365 includes a BAA, but only on specific plans (Business Premium and above) and only after you sign it through the Service Trust Portal. Google Workspace is similar — Business and Enterprise plans only, and you have to actively accept the BAA in the admin console. Slack requires Enterprise Grid for a BAA. Notion has a BAA only on its Enterprise tier. Most practices we scan are on the smaller plans.

Video and meetings. Zoom's standard plan doesn't include a BAA. You need Zoom Healthcare or Zoom Enterprise with the BAA add-on. Generic Zoom embeds for telehealth are the most common HIPAA gap we see. Same for Whereby, Jitsi, and Google Meet on the standard tier.

Documents and file sharing. Dropbox requires its HIPAA-eligible plan. Box similarly. DocuSign requires its enterprise tier and a separately-signed BAA. Loom has no standard BAA. Vimeo's basic plans don't include one.

"I don't put PHI in there" — what that actually means

The most common defense we hear is "we don't put PHI in those tools." Often the speaker means it. Often the speaker is wrong.

PHI ends up in these tools through normal use. Examples we see constantly:

Front desk uses Slack to coordinate which patient is in which room
Provider sends a Loom video walkthrough of a chart to a partner
Marketing puts a "schedule a free consultation" form on the website with the reason-for-visit field included
Practice manager exports an appointment schedule to Google Sheets to manage staff coverage
Billing question gets answered through Intercom chat with the patient’s account number visible

The standard isn't "do you intend to put PHI there." The standard is "could PHI plausibly end up there in normal operation." If yes, you need a BAA — or you need a vendor whose standard tier includes one.

What to do this week

Pick one afternoon. List every SaaS tool your practice pays for or uses. Cross-reference each one against your BAA file. Anywhere you have a tool but no BAA, three options: get the BAA (often a paid upgrade), switch to a vendor whose default plan includes one, or stop using the tool with patient data and document the policy.

The MMG Fusion case is the most recent reminder that BAA gaps don't have to come from a marquee vendor to produce a settlement. MMG was a dental marketing software company, not a name most practice managers had heard of. The breach exposed 15 million records.

This article is general information, not legal advice. Talk to a healthcare attorney about your specific situation.

BAA-required vendors most healthcare practices forget about

Why BAAs exist

The vendors everyone remembers

The vendors most practices forget

"I don't put PHI in there" — what that actually means

What to do this week

Related articles in the Knowledge Center.

The 5 ways your hospital's website is probably leaking patient information right now

HIPAA on the web for dental practices and DSOs

What to do in the first 30 days after finding tracking pixels on your healthcare website

Find what an underwriter or plaintiff firm would find. In 60 seconds.