HIPAA Compliance · 2026-06-30 · 14 min read
Is It HIPAA Compliant? 100 Popular Tools and Whether They Sign a BAA (2026)
No tool is HIPAA compliant on its own — what matters is whether the vendor signs a BAA. We checked 100 popular tools against their official docs: which sign a BAA, which are conditional, and which won't.
Healthcare teams ask one question about almost every app they use: is it HIPAA compliant? The honest answer is that no software is HIPAA compliant on its own. What actually matters is whether the vendor will sign a Business Associate Agreement (BAA) — and even then, compliance depends on signing it, configuring the product correctly, and maintaining your own safeguards.
We checked 100 popular tools against each vendor's official HIPAA/BAA documentation (verified June 2026). Here is where they stand:
- 37 sign a BAA (often still gated to paid or business plans)
- 50 are conditional — only on specific plans, paid add-ons, or with required configuration
- 13 will not sign a BAA — keep PHI out of these entirely
This page is general information, not legal advice. Vendor terms change — always confirm the current BAA directly with the vendor before putting any protected health information (PHI) into a tool. Click any tool for the full breakdown, plan requirements, and official source.
What "Yes," "Conditional," and "No" actually mean
A Yes means the vendor will enter into a BAA — but you usually still need a paid or business plan, must sign the agreement, and must configure the product correctly. A Conditional means a BAA exists only on certain tiers (often Enterprise), only as a paid add-on, or only after enabling specific settings. A No means the vendor will not sign a BAA and its terms typically prohibit PHI, so these tools must never hold patient data.
EHR & practice management
Telehealth & patient communication
Email & secure messaging
Cloud storage & file sharing
Forms & scheduling
CRM & marketing
Customer support & help desk
Productivity & project management
AI tools
Payments & accounting
E-signature
Infrastructure, video & communications
Other tools
Tools that will not sign a BAA (keep PHI out)
These popular tools do not sign a BAA, and several explicitly prohibit PHI in their terms. Do not store or transmit patient data in them:
How to use any tool with PHI safely
- Confirm a BAA is available for your plan, and sign it before any PHI touches the tool.
- Use only covered services and features. Many BAAs exclude AI features, integrations, email/SMS, or specific products.
- Configure the product — encryption, MFA, least-privilege access, audit logging, and retention.
- Keep an inventory of every vendor that touches PHI and the status of each BAA.
- Re-check periodically — vendor terms and your own stack both change.
Track every vendor BAA in one place
Keeping 20–50 vendor BAAs current is exactly the kind of work that slips. Shieldra is HIPAA-first compliance software that tracks your vendors, BAAs, and audit-ready evidence — and flags any tool touching PHI without an agreement. Take the free 2-minute HIPAA assessment to see where you stand, or browse the full HIPAA & BAA tool directory.