How to Map BAA Flow-Down Across Your SaaS Stack Without Missing a Subprocessor
Key Takeaways
A BAA with your covered entity client is necessary but not sufficient. Every subprocessor that touches PHI on your behalf also needs a BAA.
The most commonly missed BAA categories: analytics tools, error trackers, customer support platforms, AI services, and email or SMS providers.
Some major vendors (Google Workspace, AWS, Azure, Salesforce, Slack, Zoom) offer BAAs but require you to opt in or sign separately. Default contracts do not include them.
Keep a living subprocessor inventory with BAA status. Review it every time you add a new tool, every time a vendor renews, and at least quarterly.
HIPAA’s Business Associate Agreement (BAA) requirement is one of those rules that seems simple until you try to map it across a modern SaaS stack. You sign a BAA with your covered entity customer. You think you are covered. Then someone asks about your error tracker, your analytics tool, your AI service, your support platform, and the gaps appear fast.
This is the practical guide we use when mapping BAA flow-down for SaaS healthcare clients: what categories to think in, which vendors to triple-check, and how to keep the inventory current without it becoming a quarterly fire drill.
The Three Categories of Subprocessors HIPAA Covers
HIPAA’s BAA requirement applies to any vendor that creates, receives, maintains, or transmits PHI on your behalf. In practice, that means three categories of vendors:
Infrastructure (hosts the data): cloud providers, database services, backup and disaster recovery, file storage, search indices. AWS, GCP, Azure, MongoDB Atlas, Snowflake, Elastic Cloud all sit here.
Processing (touches the data in transit): analytics, AI services, payment processors, communications APIs, integration platforms, message queues. Segment, Mixpanel, OpenAI, Twilio, SendGrid, Datadog APM all sit here.
Observability and support (sees the data incidentally): error trackers, log aggregators, customer support tools, screen recording. Sentry, Datadog Logs, Intercom, FullStory, LogRocket all sit here.
The first category is obvious. The second category usually gets caught in a SOC 2 audit. The third category is where most year-one HIPAA gaps live.
The Vendors Most Often Missed in BAA Audits
Across the SaaS healthcare startups we have audited, the same blind spots show up repeatedly:
Email and SMS providers. SendGrid, Postmark, Mailgun, Twilio. If your appointment reminders, password resets, or notifications include PHI (and they usually do), these need BAAs.
AI services. OpenAI, Anthropic, and other LLM providers offer BAAs but only on specific commercial tiers. Free or default API access does not include a BAA. If you are sending PHI to a model, verify the plan.
Customer support and screen recording tools. Intercom, Zendesk, FullStory, LogRocket. Anything that records or replays sessions can capture PHI by accident if your product surfaces patient data.
Analytics. Mixpanel, Amplitude, Segment, GA4. Event properties often include patient IDs or thinly disguised PHI. The fix is either redacting at source or signing a BAA.
Error tracking. Sentry, Rollbar, Bugsnag. Stack traces include the variable values that caused the error. PHI ends up in error breadcrumbs constantly.
How to Get a BAA Signed With a Reluctant Vendor
Not every vendor will sign a BAA. Some have policy reasons. Some have not built the legal infrastructure. Some are just too small to risk it.
Your options, in order of preference: (1) escalate to the vendor’s enterprise plan, where BAAs are usually standard; (2) configure the vendor to never receive PHI (redaction at source, allowlist of fields); (3) replace the vendor with a competitor that signs BAAs; (4) accept the risk in writing and document it in your risk register, only if the vendor’s exposure is genuinely minimal.
Option 4 is a last resort and OCR will challenge it. Every accepted-risk vendor needs an annual review and a written justification.
Building a Living Subprocessor Inventory
The inventory does not need to be sophisticated. A spreadsheet works. Columns: vendor name, what they touch (data category), category (infrastructure / processing / observability), BAA status (signed, pending, exempt with justification), date of last review, owner.
The inventory becomes part of your quarterly compliance cadence. Engineering reviews it for vendor changes, legal reviews it for BAA status, and the compliance owner signs off. This is the document that gets requested in every HIPAA risk assessment and every covered entity due diligence.
Set up procurement to require BAA confirmation before any new vendor onboards. The cheapest fix is preventing the gap, not closing it after.
Frequently Asked Questions
Do we need a BAA with our cloud provider if we encrypt everything?
Yes. Encryption protects data confidentiality, but the cloud provider is still maintaining PHI on your behalf. AWS, GCP, and Azure all have BAA programs and require you to enroll. Encryption is not a substitute for a BAA.
Does sending PHI to an LLM require a BAA?
Yes if the LLM provider stores, processes, or trains on the data. Major providers offer BAA-eligible plans (OpenAI ChatGPT Enterprise, Anthropic enterprise tier, Azure OpenAI). The free API tiers and consumer accounts do not include BAAs.
What if a vendor refuses to sign our BAA but offers their own template?
A vendor’s standard BAA template is usually acceptable as long as it covers the HIPAA-required terms: permitted uses and disclosures, safeguards, subcontractor flow-down, breach notification, return or destruction of PHI at termination, and audit rights. Review it once, redline if necessary, then sign.
How often should we review the BAA inventory?
Quarterly at minimum, plus any time you add a vendor or a vendor changes ownership. Annual full review with sign-off from the compliance owner.
Where to Go From Here
BAA flow-down mapping is one of the seven HIPAA gaps we cover in a Compliance Snapshot. If you want a structured pass through your subprocessor inventory plus the other six common year-one gaps, a Snapshot is the fastest way to get a roadmap.
Leave a comment or reach out at hello@tailoredcompliancesolutions.com if you want to compare notes on a particular vendor or category.
Related Services
Compliance Snapshot: 10-hour HIPAA gap assessment that maps BAA inventory and the other 6 year-one gaps.
The Reverse Compliance Runway: 90-day bundled path from current state to HIPAA audit-ready, BAA flow-down included.
Embedded Principal: ongoing fractional compliance ownership for healthcare SaaS teams.
Recommended Reads
AWS HIPAA Eligible Services list and AWS BAA enrollment portal
OpenAI ChatGPT Enterprise and API platform BAA documentation; Anthropic Trust Center for enterprise BAA terms
