Tool compliance guides
Is your tech stack HIPAA compliant?
Most workplace tools can be made HIPAA-compliant — on the right plan, with the right settings, and a signed BAA. That part is necessary. It is not sufficient. A practice with twenty compliant tools can still be a practice with zero compliance program. Below: what each tool actually requires, and where "compliant tool" stops being the answer.
Messaging & video
Voice, video, and chat — where most practices first ask the BAA question, and where the gaps show up fast.
Zoom
Technically yes — Healthcare or Business+ plan, signed BAA, locked-down settings. But a configured Zoom doesn't audit who joined which call, doesn't enforce the BAA gate, and doesn't track recordings to your retention policy. One configured tool, not a compliance program.
Read full guide →
Microsoft Teams
Yes on Business/Enterprise plans with a BAA. But Teams alone doesn't gate messaging by BAA status, doesn't capture per-tab access logs, and doesn't surface who saw which thread. It's one component, not a secure-messaging system.
Read full guide →
Slack
Enterprise Grid is the single plan that signs a BAA. Free, Pro, and Business+: no path. For most independent practices, the practical answer is to pick a different tool that signs a BAA on a plan you can actually use.
Read full guide →
Meta does not sign a BAA for WhatsApp. End-to-end encryption alone does not satisfy HIPAA — the metadata (who messaged whom, when) lives in Meta's systems, and Meta isn't a covered business associate. Don't use it for clinician-patient communication, no matter how convenient.
Read full guide →
Signal
Signal is end-to-end encrypted but does not offer a BAA for healthcare use. The encryption is excellent; the missing BAA makes it non-compliant for clinician-patient or clinician-clinician PHI exchange. Use it for personal communication, not clinical.
Read full guide →
Voicemail
Allowed. But cloud voicemail systems need a BAA, and message content has to follow minimum-necessary rules under §164.502(b). Most front-desk staff have been trained on neither — and that's where the violation lives.
Read full guide →
Faxing
Analog fax: yes. Cloud fax / email-to-fax: only with BAA and encryption. The deeper question worth asking: in 2026, why is fax still in your patient-data flow at all? Each fax destination is a vendor relationship that needs its own BAA tracking.
Read full guide →
Twilio
HIPAA-eligible products + signed BAA: yes. SMS, Voice, Video, SendGrid all covered when explicitly contracted. The trap: 'Twilio account created' isn't 'BAA in place' — trial accounts and consumer products are out of scope. And the carrier network where SMS terminates isn't encrypted end-to-end. Content discipline matters as much as the BAA.
Read full guide →
Loom
Loom does not sign a BAA on any plan — Free, Business, Enterprise, all the same answer. Recording a screen walkthrough that shows real patient charts puts PHI on uncovered infrastructure with searchable AI transcripts. Use Vidyard, Microsoft Stream on a covered tenant, or self-hosted alternatives.
Read full guide →
Email & scheduling
The first place PHI accidentally lands. Configuration matters; staff workflow matters more.
Email (general)
Standard email: never. Even “HIPAA-compliant email” needs more than encryption — a BAA with your provider AND every plugin, archiver, and filter touching the inbox; MFA; audit logs; TLS that refuses to fall back to plaintext when the receiving server doesn’t support it; DLP; email-specific staff training. Most setups have three of those, not seven. Deeper truth: email was never designed for healthcare. Every PHI message it carries is a workaround. Patient portals and purpose-built secure messaging are the right tools for PHI; email should carry as little of it as possible.
Read full guide →
Gmail
Free Gmail: never. Google Workspace + BAA + admin lockdown: yes on paper. In practice: staff send PHI through personal Gmail alongside it; the Workspace plugins, archivers, and integrations need BAAs nobody tracks; auto-forward rules quietly leak PHI; TLS silently falls back to plaintext when the receiving server doesn’t support it. The signed BAA covers Google Workspace’s infrastructure — and nothing else in the email path.
Read full guide →
Calendly
Whether Calendly signs a BAA depends on plan and timing — confirm directly. But Calendly's BAA covers Calendly's storage of appointment data, not the patient name + visit reason that flows back into your inbox or your front-desk spreadsheet. The BAA is upstream; the leak is downstream.
Read full guide →
Storage, documents & forms
Where PHI sits at rest. Plan choice + admin settings matter — and so does the workforce member who syncs to a personal account.
Google Workspace
Yes on paid plans with BAA and the right admin settings. The harder question: who at your practice knows what those settings are, and when did anyone last verify they're still configured correctly?
Read full guide →
Dropbox
Business/Enterprise + signed BAA only. Free, Plus, and Family plans: no path to compliance. The risk most practices ignore: admin uses the right plan, staff sync to a Personal account on the same device. Wrong-account on a single ePHI file is a reportable event.
Read full guide →
iCloud
Apple does not sign a BAA for iCloud. That makes iCloud a non-starter for ePHI storage — and the staff iPhones in your office may already be backing photos, voice memos, and texts through personal iCloud accounts. The exposure isn't theoretical; it's already happening on most devices.
Read full guide →
Notion
Notion's BAA availability is narrow and varies — confirm directly with Notion before assuming coverage. For SOPs, internal docs, non-PHI workflow: fine. The moment a clinical note, patient identifier, or appointment detail lands in a Notion page without coverage, you have a problem.
Read full guide →
DocuSign
DocuSign signs BAAs on appropriate plans, and the platform itself is solid. The catch most practices miss: DocuSign is one part of an end-to-end consent workflow that has to include retention, access logging, and policy mapping. The signature is the easy part.
Read full guide →
Adobe Acrobat Sign
Adobe Acrobat Sign Enterprise + signed BAA: yes. Acrobat Pro DC (the PDF editor): never — different product, no BAA. The naming overlap catches practices: 'I have Adobe Acrobat' doesn't mean 'I have HIPAA-covered e-signatures.' Confirm the product, the tier, and the executed BAA before any consent form runs through it.
Read full guide →
OneDrive
Yes on Microsoft 365 commercial plans + signed BAA. Personal OneDrive accounts and Microsoft 365 Family/Personal: never. The configuration trap: anonymous link sharing is on by default, sync to personal Microsoft accounts is allowed by default, DLP for PHI patterns isn't configured by default. The BAA is the floor, not the ceiling.
Read full guide →
Google Forms
On Workspace + BAA + the right configuration, technically yes. But Forms is a general survey tool — using it for clinical intake without DLP, validation, and a real audit trail produces compliant-on-paper, exposed-in-practice. Patient intake belongs in a system designed for it.
Read full guide →
Marketing, payments & analytics
The categories practices most often forget contain PHI — until OCR sends a letter.
Mailchimp
Mailchimp signs BAAs on certain plans — confirm scope directly. The harder operational question: what counts as PHI in marketing? A patient appointment reminder is PHI. A post-visit thank-you email is PHI. Most practices don't realize how much of their list is regulated data.
Read full guide →
Square
Square signs a BAA for Square for Healthcare. Other Square products (POS, Online Store) typically do not. The realistic risk: practices use multiple Square products and run patient billing through whichever is open in the browser. The plan matters per product.
Read full guide →
QuickBooks
Intuit does not sign a BAA for QuickBooks. Patient names + amounts owed are PHI under §164.501. The compliant approach is operational: keep PHI out of the accounting layer — use patient IDs not names, and route billing through a HIPAA-covered intermediary.
Read full guide →
Google Analytics
Google does not sign a BAA for Analytics. Practices running standard GA on patient-facing pages routinely surface URLs containing ePHI through query strings. There is no settings change that fixes this — you remove GA from PHI-touching pages, or you don't run it.
Read full guide →
Salesforce
Yes on Health Cloud or Enterprise editions of Sales/Service Cloud with a signed BAA. Sales Cloud Standard, Service Cloud Professional, and Marketing Cloud: not eligible. Edition matters — and a BAA on Sales Cloud doesn't extend to Marketing Cloud, Pardot, or AppExchange integrations. Each product line is its own conversation.
Read full guide →
HubSpot
Yes on Enterprise tier with a signed BAA. Free, Starter, Professional: no path. The trap most practices fall into: starting on Professional, accumulating patient data, then trying to upgrade. The BAA only covers data going forward — everything before the upgrade was uncovered.
Read full guide →
Stripe
Stripe does not sign a BAA. But the answer has nuance: a clean financial transaction without clinical context falls inside HIPAA's payment-processing exemption. The line is crossed when statement descriptors disclose specialty, invoices itemize CPT codes, or metadata includes diagnosis. Keep Stripe narrow; let your PM system carry the clinical billing.
Read full guide →
Zapier
Zapier does not sign a BAA on any plan. Every workflow that routes patient data through Zapier — even briefly — is uncovered PHI on a non-eligible vendor. Most practices forget Zapier exists when they map their compliance footprint. That invisibility is the actual risk. Use Workato, Make on a HIPAA tier, or native integrations.
Read full guide →
AI & infrastructure
The newest category of compliance question — and the one with the biggest gap between marketing and architectural reality.
ChatGPT
OpenAI signs BAAs on certain enterprise tiers, and HIPAA-eligible API workflows exist. But the practical answer for an independent practice is: don't put PHI in any third-party cloud LLM unless the architecture is explicitly designed for it. AI compliance in healthcare is architecture, not policy.
Read full guide →
AWS
Yes with BAA and HIPAA-eligible services configured (Patient Protect runs on AWS). Important nuance: AWS gives you the building blocks. Whether what you build on top is compliant depends entirely on the application layer — and most practices aren't building on AWS directly.
Read full guide →
Notion AI
No — even though Notion Enterprise itself signs a BAA. The BAA explicitly excludes Notion AI features. One 'Ask AI' click on a page with PHI sends content through third-party LLM providers with no HIPAA chain. The boundary is one keystroke wide. Disable AI at the workspace level or maintain separate workspaces.
Read full guide →
ServiceNow
Yes on enterprise contracts with a BAA, especially the Healthcare and Life Sciences product line. Standard tenants: not eligible by default. The BAA scope is consequential — large healthcare organizations with broad ServiceNow footprints often need separate BAAs per product line. A corporate ITSM contract does not automatically cover clinical workflows.
Read full guide →
Where Patient Protect fits
You configure the tools. Patient Protect runs the system.
After you read the guide for any tool above, the harder question remains: in yourpractice, which of these touches PHI, where, and who's accountable for keeping each BAA current? That is not a tool question. It is a system question. Patient Protect is the system that maps your data flow, tracks every BAA, audits every access, and shows you the gaps your stack creates — even when every tool in it is configured correctly.
Maps where each tool sits in your PHI flow
The Data Flow Mapper sees every tool above as one connected picture, not isolated boxes.
Tracks every BAA across every vendor
Six-state lifecycle, expiration alerts, pre-execution gap detection on every relationship.
Audits every PHI access across the stack
Per-session, per-tab, immutable, OCR-export-ready — whatever the tool, the trail is unified.
Featured
The Franken-stack: Why compliant tools don't add up to a compliant practice.
Most independent practices run a cobbled-together collection of software that feels operational and fails at compliance. You can have ten HIPAA-compliant tools and zero HIPAA compliance.
Read the full analysis →A compliant tool is not a compliant practice.
Configuring one tool is the easiest part of compliance. The harder parts: knowing every tool that touches PHI, tracking the BAAs across all of them, training the staff who use them, auditing access weekly, generating evidence the day OCR asks for it. Each of those is required. None of them happen because you flipped a setting in Zoom.
Patient Protect is the system layer over your tools — the risk assessment that maps where each one sits in your data flow, the BAA tracker that watches expiration on every vendor, the audit log that captures every PHI access, and the live compliance score that reflects whether your stack actually works as a system. Starting at $39/month.