Is Your Tool Compliant?

Video Conferencing

Zoom is HIPAA compliant only when you sign a BAA with Zoom and enable required security settings. The free and Pro plans do not qualify. You must use Zoom for Healthcare or a Business+ plan with the BAA executed.

Video Conferencing

Google Meet is HIPAA compliant when used through Google Workspace (Business, Enterprise, or specific education/nonprofit tiers) with a signed BAA. The free consumer version of Google Meet is not HIPAA compliant.

Web Hosting

GoDaddy is NOT HIPAA compliant. They do not offer a BAA, do not provide the required technical safeguards for PHI, and their terms of service explicitly do not address HIPAA requirements. Do not use GoDaddy for any application that handles protected health information.

CRM

Several CRM platforms can be HIPAA compliant with proper configuration. Salesforce Health Cloud is purpose-built for healthcare. HubSpot offers a BAA on Enterprise plans. Freshsales and Zoho CRM also offer BAAs. Always verify BAA availability and configure access controls before storing PHI.

Email

Several email providers offer HIPAA-compliant email solutions. Paubox provides seamless encryption without requiring recipient action. Virtru adds encryption to Gmail and Outlook. Hushmail is designed for small healthcare practices. Google Workspace and Microsoft 365 can also be compliant with BAAs and proper configuration.

Cloud Storage

AWS S3, Azure Blob Storage, Google Cloud Storage, and Box all offer HIPAA-compliant cloud storage with signed BAAs. Each requires specific configuration including encryption, access controls, and audit logging to maintain compliance.

AI Assistant

ChatGPT is HIPAA compliant ONLY on the Enterprise plan, where OpenAI signs a BAA and does not use your data for training. Free, Plus, and Team plans are NOT compliant and must never be used with PHI. The OpenAI API also supports BAAs for developers building healthcare applications.

Email

Free Gmail is NOT HIPAA compliant. Google Workspace Gmail (Business, Enterprise plans) is HIPAA compliant when you sign the BAA in the Admin Console and configure security settings. Even with Workspace, Gmail does not provide end-to-end encryption for external recipients without third-party add-ons.

Productivity Suite

Google Workspace is HIPAA compliant when you sign the BAA in the Admin Console. Core services including Gmail, Drive, Meet, Docs, Sheets, Slides, Calendar, and Chat are all covered. However, additional Workspace services and third-party Marketplace apps may not be covered.

Video Conferencing

Several video conferencing platforms are HIPAA compliant with BAAs. Doxy.me is purpose-built for telehealth with no downloads required. Zoom for Healthcare offers a comprehensive BAA. Microsoft Teams and Google Meet are compliant through enterprise plans with BAAs. Each requires specific configuration.

Web Hosting

AWS, Microsoft Azure, Google Cloud Platform, Liquid Web, and Atlantic.Net all offer HIPAA-compliant hosting with BAAs. Major cloud providers require you to configure compliance yourself, while specialized providers offer pre-configured HIPAA hosting environments.

Telehealth

Purpose-built telehealth platforms like Doxy.me, SimplePractice, TheraNest, and VSee are all HIPAA compliant with included BAAs. The best choice depends on your practice size, specialty, and whether you need integrated EHR, billing, and scheduling features.

Team Messaging

Slack is HIPAA compliant ONLY on the Enterprise Grid plan with a signed BAA from Salesforce (Slack's parent company). Free, Pro, and Business+ plans do not qualify. Enterprise Grid provides the encryption, DLP, and admin controls required for HIPAA.

Cloud Storage

Dropbox is HIPAA compliant on Business Advanced and Enterprise plans with a signed BAA. Free, Plus, Professional, and Business Essentials plans are NOT compliant. Even on qualifying plans, you must configure sharing restrictions and access controls.

Team Collaboration

Microsoft Teams is HIPAA compliant with a Microsoft 365 Business or Enterprise BAA. The BAA covers Teams messaging, video, file sharing, and integrations with other M365 services. Configuration of DLP, retention, and access controls is required.

Project Management

Trello is NOT HIPAA compliant. Atlassian does not offer a BAA for Trello, and the platform is not designed for handling protected health information. Do not use Trello for patient tracking, care coordination, or any workflow involving PHI.

File Storage

Several enterprise cloud drives are HIPAA compliant with the right plan and signed BAA. Box for Healthcare is purpose-built. Google Workspace Business+ and Microsoft 365 Business include BAA on paid tiers. Dropbox Business plans qualify with their BAA. Free or personal accounts never qualify.

Scheduling

SimplePractice, NexHealth, and Mend are purpose-built HIPAA-compliant scheduling platforms. Calendly Enterprise and Acuity (Squarespace HIPAA plan) sign BAAs on their healthcare-specific tiers. Free or standard plans of general-purpose tools do not qualify.

SMS Messaging

Several providers offer HIPAA-eligible SMS or secure messaging: Twilio with their BAA, MessageBird Enterprise, OhMD, Spruce Health, and RingCentral. The strict-SMS path requires a BAA + content limitations; the secure-channel path (in-app or branded portal) gives stronger protections.

Fax

Sfax, SRFax, Phaxio (Sinch), and Updox are purpose-built HIPAA-compliant fax services with BAA included. eFax offers a separate Corporate / Healthcare tier with a BAA. Personal eFax, MyFax, and consumer-grade fax-by-email services do not qualify.

Project Management

Asana Enterprise+ and Atlassian Cloud Enterprise are HIPAA compliant with signed BAAs. Monday Enterprise supports BAA on healthcare-specific contracts. ClickUp Enterprise has a BAA path. Free, Standard, and Pro plans of these tools generally do NOT qualify. Notion does not currently offer a BAA.

Accounting

NetSuite and Sage Intacct offer BAA on enterprise contracts. QuickBooks Online Advanced has limited HIPAA support (BAA available for specific configurations). Xero does not currently offer a standard BAA. Bill.com offers HIPAA-compliant invoicing on Enterprise plans.

Payment Processing

Stripe and Square both offer HIPAA-eligible terms for healthcare customers on request. Authorize.Net (Visa) offers BAA for Healthcare. InstaMed (JPMorgan) is purpose-built for healthcare payments with BAA included. Standard merchant accounts at most processors do NOT include a BAA by default.

Data Warehouse

Snowflake, BigQuery, Redshift, Azure Synapse, and Databricks all offer HIPAA-eligible services with BAA. The BAA scope and required configuration differ — Snowflake and BigQuery require explicit HIPAA edition / acceptance; AWS Redshift inherits the AWS BAA; Databricks offers HIPAA on Premium/Enterprise.

Call Center

Five9 Healthcare Cloud, Talkdesk Healthcare Experience Cloud, Genesys Cloud, and NICE CXone all offer HIPAA-eligible services with BAA. Amazon Connect is HIPAA-eligible under the AWS BAA with the right configuration. Free or developer accounts do not include BAA.

Survey Software

Formstack Healthcare, JotForm HIPAA plan, SurveyMonkey Enterprise, REDCap, and Qualtrics offer HIPAA-eligible plans with signed BAA. Google Forms, basic Typeform, Microsoft Forms (personal), and free SurveyMonkey do NOT qualify.

Cloud Infrastructure

AWS is SOC 2 Type II compliant. AWS publishes annual SOC 2 Type II reports audited by independent firms. The reports cover AWS infrastructure security, availability, and confidentiality controls. However, your use of AWS does not make your application SOC 2 compliant — the shared responsibility model applies.

Cloud Infrastructure

Google Cloud Platform is SOC 2 Type II compliant. Google publishes annual SOC 2 Type II reports covering Security, Availability, and Confidentiality Trust Services Criteria. Reports are available through the Google Cloud compliance reports manager.

Cloud Infrastructure

Microsoft Azure is SOC 2 Type II compliant with annual audits covering 200+ services. Reports cover Security, Availability, Confidentiality, and Processing Integrity criteria. Access reports through the Service Trust Portal.

CRM / SaaS

Salesforce is SOC 2 Type II compliant with annual independent audits. The report covers Sales Cloud, Service Cloud, Marketing Cloud, Salesforce Platform, and other products. Access reports through the Salesforce Trust portal.

Web Analytics

Google Analytics 4 (GA4) can be GDPR compliant when configured with consent mode, IP anonymization, EU data storage, and a proper cookie consent banner. However, some EU DPAs have taken stricter positions, so the compliance landscape remains evolving. Always implement a consent management platform and review your specific DPA's guidance.

Email Marketing

Mailchimp is GDPR compliant when you enable GDPR fields in signup forms, implement double opt-in, configure the data processing addendum, and properly handle consent and data subject requests. As a US-based processor, it relies on EU-US Data Privacy Framework for international transfers.

Marketing & CRM

HubSpot is GDPR compliant when you enable GDPR tools in account settings. HubSpot provides built-in consent management, cookie banners, lawful basis tracking, DPA, and DSAR tools. GDPR features must be manually enabled — they are not active by default.

Payment Processing

Stripe is PCI DSS Level 1 certified — the highest level of PCI compliance available. Stripe processes over hundreds of billions of dollars annually and undergoes annual PCI audits by qualified security assessors. Using Stripe with their recommended integration (Stripe.js/Elements) reduces your PCI scope to SAQ A or SAQ A-EP.

E-Commerce

Shopify is PCI DSS Level 1 compliant across all plans — including Basic, Shopify, and Advanced. Every Shopify store automatically benefits from PCI certification without any additional configuration. Shopify handles all card data storage and processing on their certified infrastructure.