HIPAA & BAA · CDN, network & security
Is Cloudflare HIPAA compliant?
Conditionally. Cloudflare signs a BAA only for Enterprise customers and only for in-scope services (e.g., CDN, WAF, Bot Management); it is not available on self-serve plans and must be arranged through sales.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Enterprise plan only (with minimum spend); the BAA is non-negotiable and specifies exactly which services may handle ePHI. Arrange through Cloudflare's sales team.
- Official source: Cloudflare — What is HIPAA compliance? — https://www.cloudflare.com/learning/privacy/what-is-hipaa-compliance/ (verified 2026-06)
How to use Cloudflare in a HIPAA-compliant way
- Engage Cloudflare's sales/enterprise team to obtain an Enterprise agreement and the HIPAA BAA.
- Execute the (non-negotiable) BAA and confirm which purchased services are in scope for ePHI.
- Route ePHI only through in-scope services (e.g., CDN, WAF, Bot Management).
- Configure TLS, access policies, logging, and security rules to meet your safeguards.
- Document your risk assessment and retain the executed BAA.
Important caveats
- Only Enterprise customers (with minimum spend) can obtain a BAA; self-serve Free/Pro/Business plans cannot.
- Only specified services are in scope — some products may not be covered when purchased alone.
- The BAA reflects HIPAA obligations only; you remain responsible for compliant configuration and your own safeguards.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Cloudflare correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Cloudflare.
Frequently asked questions
Does Cloudflare sign a BAA?
On specific plans. Enterprise plan only (with minimum spend); the BAA is non-negotiable and specifies exactly which services may handle ePHI. Arrange through Cloudflare's sales team. A signed BAA is required before any PHI is involved.
Is Cloudflare HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Cloudflare offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Cloudflare with PHI?
Only Enterprise customers (with minimum spend) can obtain a BAA; self-serve Free/Pro/Business plans cannot.