45 CFR § 164.504(e) — Business Associate Agreements
All listed vendors offer or support Business Associate Agreements (BAAs) as required under 45 CFR § 164.504(e). A BAA is a legally required written contract that must be in place before any business associate creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. Covered entities that share PHI with a vendor without a valid, executed BAA are in direct violation of HIPAA and subject to OCR civil money penalties of up to $50,000 per violation under 45 CFR § 160.404.
🔒 Compliancy Group — The Guard
✓ BAA Available
Compliance Software
OCR Audit-Ready
End-to-end HIPAA compliance management platform covering the full OCR Phase 2 Audit Protocol. The Guard centralizes risk analysis, policy and procedure management, workforce training, vendor management, incident tracking, and remediation workflows in a single SaaS platform. Designed specifically to produce the documentation artifacts required during an OCR investigation or audit.
- Guided risk analysis workflow satisfying 45 CFR § 164.308(a)(1)(ii)(A)
- Automated policy library with versioning and staff attestation tracking
- Vendor BAA management module with contract repository and renewal alerts
Regulatory Relevance: 45 CFR § 164.308(a)(1) — Risk Analysis & Management; § 164.308(a)(8) — Evaluation
🔒 Accountable HQ
✓ BAA Available
Compliance Software
HIPAA compliance automation platform built for small to mid-size healthcare practices and health-tech startups. Accountable HQ provides risk assessments, customizable policy templates, automated workforce training delivery, and business associate agreement management with digital signature workflows.
- Automated annual risk assessment with gap analysis and remediation tasks
- 50+ customizable HIPAA policy templates covering Privacy and Security Rules
- Incident and breach tracking workflow with HHS notification checklist
Regulatory Relevance: 45 CFR § 164.308(a)(1) — Risk Analysis; § 164.308(a)(6) — Security Incident Procedures
🔒 HIPAA One — Automated Security Risk Analysis
✓ BAA Available
Compliance Software
OCR Audit-Ready
Enterprise-grade HIPAA risk analysis and compliance management software recognized by HHS for alignment with the NIST Cybersecurity Framework and NIST SP 800-30. Provides automated security risk analysis, remediation planning, and compliance documentation suitable for multi-site healthcare systems and ACOs.
- Automated SRA aligned with HHS Security Risk Assessment Tool guidance
- NIST SP 800-30 risk scoring methodology with threat and vulnerability catalog
- Multi-location and enterprise rollup reporting for health systems
Regulatory Relevance: 45 CFR § 164.308(a)(1)(ii)(A) — Risk Analysis (Required); HHS SRA Tool Guidance 2024
⚠️
Failure to Conduct a Risk Analysis Is Among the Most Common OCR Enforcement Findings
45 CFR § 164.308(a)(1)(ii)(A) requires all covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. OCR has cited failure to conduct or document a risk analysis as the primary finding in dozens of enforcement actions totaling hundreds of millions in penalties. A risk analysis is a required — not addressable — implementation specification.
🔒 Healthie — API-First EHR
✓ BAA Available
EHR / EMR
API-first, HIPAA-compliant EHR and practice management platform designed for digital health companies, group practices, and direct-to-consumer healthcare startups. Offers fully integrated telehealth, scheduling, billing, client portal, and e-prescribing within a single compliant architecture. BAA provided on all plan tiers.
- Full EHR with clinical documentation, e-prescribing, and lab integrations
- Built-in telehealth with HIPAA-compliant video and messaging
- SOC 2 Type II certified with role-based access controls and audit logs
Regulatory Relevance: 45 CFR § 164.312(b) — Audit Controls; § 164.308(a)(4) — Information Access Management
🔒 DrChrono — EHR & Medical Billing
✓ BAA Available
EHR / EMR
Cloud-based EHR, medical billing, and practice management platform certified under ONC Health IT. DrChrono provides fully customizable clinical note templates, real-time insurance eligibility verification, automated medical billing, and a HIPAA-compliant patient portal. BAA executed at account setup.
- ONC Health IT certified EHR with iOS-native mobile documentation
- Integrated medical billing with 98.8% first-pass claim acceptance rate
- HIPAA-compliant patient portal with encrypted messaging and document sharing
Regulatory Relevance: 45 CFR § 164.312(a)(1) — Unique User Identification; § 164.312(c) — Integrity Controls
🔒 SimplePractice — EHR for Health & Wellness Providers
✓ BAA Available
EHR / EMR
Leading EHR and practice management platform for independent behavioral health, mental health, and allied health professionals. Provides HIPAA-compliant intake forms, telehealth, scheduling, billing, claims, and a client-facing portal. BAA included with all plans. Used by over 185,000 practitioners.
- HIPAA-compliant telehealth integrated natively into the EHR workflow
- Automated insurance billing with ERA posting and Explanation of Benefits
- Paperless intake with digital consent forms, assessments, and e-signatures
Regulatory Relevance: 45 CFR § 164.312(d) — Person or Entity Authentication; § 164.504(e) — BAA
🔒 Doxy.me
✓ BAA Available
Telehealth
Purpose-built HIPAA-compliant telemedicine platform. End-to-end encrypted video sessions require no app download for patients — accessible directly from any web browser. BAA available for all subscription tiers including the free plan, making enterprise-grade telehealth compliance accessible to solo practitioners. Widely adopted by behavioral health, primary care, and specialty providers.
- Browser-based WebRTC video with AES-128 encryption in transit
- Virtual waiting room with customizable provider branding
- Group video sessions, screen sharing, and file transfer — all HIPAA-compliant
Regulatory Relevance: 45 CFR § 164.312(e)(1) — Transmission Security; § 164.312(e)(2)(ii) — Encryption (Addressable)
🔒 Zoom for Healthcare
✓ BAA Available
Telehealth
Zoom for Healthcare is a HIPAA-enabled version of the Zoom platform with a Business Associate Agreement. Provides end-to-end encrypted video consultations, secure messaging, and virtual event capabilities. The healthcare BAA must be executed separately — standard Zoom accounts are NOT HIPAA-compliant. Requires additional technical safeguards such as disabling cloud recording of PHI-containing sessions.
- 256-bit AES-GCM encryption for video, audio, and screen sharing in transit
- HIPAA-specific account settings including logging and audit trail controls
- EHR integration via Epic, Cerner, and Athenahealth for in-workflow telehealth
Regulatory Relevance: 45 CFR § 164.312(e)(2)(ii) — Encryption; § 164.312(b) — Audit Controls
🔒 Kareo — Medical Billing & Practice Management
✓ BAA Available
Medical Billing
Cloud-based medical billing, EHR, and practice management platform for independent practices. Kareo handles the full revenue cycle: eligibility verification, claim submission, denial management, payment posting, and patient statements — all within a HIPAA-compliant environment with BAA provided.
- Automated eligibility checks and real-time claim scrubbing before submission
- Integrated denial management with root-cause analytics and resubmission workflows
- HIPAA 5010 EDI-compliant 837P/I claim submissions to all major payers
Regulatory Relevance: 45 CFR § 164.504(e) — BAA; 45 CFR § 162.923 — Transaction and Code Set Standards
🔒 AdvancedMD — Medical Billing & EHR
✓ BAA Available
Medical Billing
Enterprise-Grade
Comprehensive practice management, EHR, and medical billing platform for specialty and multi-site practices. AdvancedMD offers a fully integrated revenue cycle management suite with AI-powered coding recommendations, automated prior authorizations, telemedicine, and HIPAA-compliant patient engagement tools.
- AI-assisted ICD-10, CPT, and modifier recommendations at the point of care
- Automated prior authorization workflows with payer connectivity
- Comprehensive audit trails for all PHI access events across the platform
Regulatory Relevance: 45 CFR § 164.312(b) — Audit Controls; § 162.923 — Transaction Standards
🔒 Microsoft Azure — HIPAA/HITECH Compliant Cloud
✓ BAA Available
Cloud Storage
Enterprise
Microsoft Azure provides a comprehensive HIPAA/HITECH BAA for covered entities and business associates. Azure Health Data Services offers FHIR-compliant APIs, DICOM imaging support, AES-256 encryption at rest, TLS 1.2+ for all data in transit, granular role-based access controls (RBAC), and detailed audit logs through Azure Monitor and Microsoft Sentinel. Among the most widely deployed HIPAA cloud infrastructure platforms in enterprise healthcare.
- AES-256 encryption at rest; TLS 1.2/1.3 for all data in transit
- FHIR R4-compliant Azure Health Data Services with audit logging
- FedRAMP High authorized; HITRUST CSF certified; ISO 27001 compliant
Regulatory Relevance: 45 CFR § 164.312(a)(1) — Access Controls; § 164.312(b) — Audit Controls; § 164.312(c)(1) — Integrity
🔒 Amazon Web Services (AWS) — Healthcare & Life Sciences
✓ BAA Available
Cloud Storage
Enterprise
AWS offers a BAA covering over 170 HIPAA-eligible services, making it one of the broadest HIPAA cloud coverage footprints available. AWS HealthLake, Amazon S3 with server-side encryption, and AWS CloudTrail for audit logging are the foundational services for HIPAA workloads. Customers retain responsibility for configuring HIPAA-eligible services correctly — the Shared Responsibility Model applies.
- 170+ HIPAA-eligible services covered under the AWS BAA
- AWS HealthLake: FHIR R4-compliant data store with natural language processing
- AWS CloudTrail provides immutable, tamper-evident API audit logs for all PHI events
Regulatory Relevance: 45 CFR § 164.312(b) — Audit Controls; § 164.312(c) — Integrity; § 164.312(e)(2) — Encryption
🔒 Box for Healthcare
✓ BAA Available
Cloud Storage
Box provides HIPAA-compliant cloud content management with BAA available on Business and Enterprise plans. Healthcare organizations use Box for secure document management, clinical collaboration, and patient-facing portals. Box Shield adds automated malware detection and anomalous access alerts. HITRUST CSF certified.
- AES-256 encryption at rest; TLS 1.2+ in transit with perfect forward secrecy
- Granular access controls, watermarking, and information rights management
- Box Shield: AI-powered threat detection and PHI classification
Regulatory Relevance: 45 CFR § 164.312(a)(1) — Access Controls; § 164.312(c)(2) — Integrity Mechanisms
45 CFR § 164.312(c)(1) — Integrity (Required Implementation Specification)
Covered entities and business associates must implement policies and procedures to protect ePHI from improper alteration or destruction. This includes implementing electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner (§ 164.312(c)(2) — Addressable). All cloud storage providers listed in this directory support integrity controls including checksums, versioning, and access logging to satisfy this requirement.
🔒 Virtru — Healthcare Email & Data Encryption
✓ BAA Available
Security & Encryption
End-to-end email and data encryption platform purpose-built for healthcare compliance. Integrates natively with Gmail and Microsoft 365 to enforce encryption policies for outbound PHI, with access revocation, forwarding controls, message expiration, and granular audit logging. Addresses the transmission security addressable specification without requiring recipients to install software.
- AES-256 end-to-end encryption with persistent protection that follows the data
- Sender retains ability to revoke access to sent emails at any time
- Detailed audit logs: who accessed, from where, and when — satisfying § 164.312(b)
Regulatory Relevance: 45 CFR § 164.312(e)(2)(ii) — Encryption & Decryption (Addressable); § 164.312(b) — Audit Controls
🔒 Paubox — HIPAA Email Encryption
✓ BAA Available
Security & Encryption
Zero-effort HIPAA-compliant email platform that encrypts every outbound email automatically — no portals, no passwords for recipients. Works as a Microsoft 365 or Google Workspace add-on. Paubox encrypts all emails containing PHI using TLS 1.2/1.3 with AES-256, delivering directly to the recipient's standard inbox while maintaining HIPAA compliance.
- Automatic encryption of all outbound emails — no user action required
- Inbound email filtering with HIPAA-compliant spam and malware blocking
- Email marketing module (Paubox Marketing) for PHI-safe patient outreach
Regulatory Relevance: 45 CFR § 164.312(e)(1) — Transmission Security; § 164.312(e)(2)(ii) — Encryption (Addressable)
🔒 KnowBe4 Healthcare Security Awareness
✓ BAA Available
HIPAA Training
OCR Workforce Req.
Healthcare-specific security awareness training platform with role-based HIPAA training modules, phishing simulation campaigns, and automated training assignment workflows. Provides workforce attestation records and completion reports suitable for OCR audit documentation demonstrating compliance with the Security Awareness and Training required implementation specification.
- HIPAA-specific training library with role-based modules (clinical, administrative, IT)
- Automated phishing simulation and remedial training assignment workflows
- Compliance reports and attestation records for OCR audit documentation
Regulatory Relevance: 45 CFR § 164.308(a)(5)(i) — Security Awareness and Training (Required); § 164.308(a)(5)(ii)(A)–(D)
🔒 Netsmart myAvatar HIPAA Training Suite
✓ BAA Available
HIPAA Training
HIPAA and behavioral health compliance training platform covering Privacy Rule, Security Rule, and HITECH requirements. Designed specifically for behavioral health, substance use disorder treatment, and human services organizations. Includes annual HIPAA training courses, competency assessments, and documentation for workforce management records under 45 CFR § 164.308(a)(5).
- Annual HIPAA Privacy and Security Rule training with documented completion
- Behavioral health-specific modules for 42 CFR Part 2 (SUD records) compliance
- Learning management system (LMS) integration for enterprise-wide deployment
Regulatory Relevance: 45 CFR § 164.308(a)(5) — Workforce Training; § 164.530(b) — Privacy Workforce Training
🔒 Shareable Ink — BAA Management & Contract Repository
✓ BAA Available
BAA Management
Dedicated business associate agreement management platform for healthcare organizations managing multiple vendor relationships. Provides a centralized BAA repository, expiration tracking, renewal alerts, e-signature workflows, and audit trails for all BAA execution events. Designed to eliminate the common OCR finding of undocumented or expired business associate agreements.
- Centralized BAA repository with version control and expiration date tracking
- Automated renewal alerts 90, 60, and 30 days before BAA expiration
- E-signature workflow with DocuSign integration and complete execution audit trail
Regulatory Relevance: 45 CFR § 164.504(e)(1) — BAA Required Elements; § 164.308(a)(1) — Risk Management Documentation
🔒 Sprinto — Automated Compliance & BAA Workflow
✓ BAA Available
BAA / Compliance
Automated compliance platform supporting HIPAA, SOC 2, ISO 27001, and GDPR with integrated vendor risk management and BAA tracking. Sprinto continuously monitors entity controls mapped to HIPAA requirements and surfaces compliance gaps in real time, enabling healthcare technology companies to maintain audit-ready HIPAA compliance at scale.
- Automated control monitoring mapped to all HIPAA Security Rule specifications
- Vendor risk assessment with integrated BAA request and tracking workflows
- Real-time compliance dashboard with OCR-audit-ready evidence collection
Regulatory Relevance: 45 CFR § 164.504(e) — BAA; § 164.308(a)(1)(ii)(B) — Risk Management
🔒 CrowdStrike Falcon for Healthcare
✓ BAA Available
IT Security / EDR
Enterprise
Enterprise endpoint detection and response (EDR) and cybersecurity platform widely deployed in healthcare systems, hospital networks, and health insurance organizations. CrowdStrike Falcon provides real-time threat detection, AI-powered behavioral analytics, and 24/7 managed threat hunting. Directly addresses the requirement to protect ePHI from malware and ransomware — among the most common causes of healthcare data breaches.
- AI-native EDR with real-time ransomware and malware behavioral detection
- CrowdStrike Falcon OverWatch: 24/7 managed threat hunting with healthcare-specific intel
- Comprehensive incident response capability with forensic investigation support
Regulatory Relevance: 45 CFR § 164.308(a)(1)(ii)(B) — Risk Management; § 164.308(a)(5)(ii)(B) — Protection from Malicious Software
🔒 Tenable.io for Healthcare — Vulnerability Management
✓ BAA Available
IT Security / Vulnerability
Enterprise vulnerability management platform for healthcare organizations needing continuous scanning of clinical and administrative IT environments. Tenable.io identifies unpatched software, misconfigured devices, and IoT/OT medical device vulnerabilities — addressing the addressable specification for vulnerability scanning as part of the Security Management Process under 45 CFR § 164.308(a)(1).
- Continuous vulnerability scanning across IT, OT, and connected medical devices
- Risk-based vulnerability prioritization aligned with HIPAA risk management workflow
- Integration with patch management platforms for closed-loop remediation tracking
Regulatory Relevance: 45 CFR § 164.308(a)(1)(ii)(A) — Risk Analysis; § 164.308(a)(1)(ii)(B) — Risk Management
🔒 LogRhythm SIEM for Healthcare
✓ BAA Available
IT Security / SIEM
Security Information and Event Management (SIEM) platform with healthcare-specific compliance content packs for HIPAA, HITECH, and HITRUST. LogRhythm aggregates log data from EHR systems, network devices, and endpoints to provide centralized audit control visibility, anomaly detection, and automated alerting for PHI access events — directly addressing the Audit Controls required specification.
- Pre-built HIPAA compliance reports mapped to 45 CFR § 164.312(b) audit controls
- Real-time alerting on anomalous PHI access patterns and after-hours EHR queries
- Automated compliance reporting for OCR investigations and internal audits
Regulatory Relevance: 45 CFR § 164.312(b) — Audit Controls (Required); § 164.308(a)(1)(ii)(D) — Information System Activity Review
🔒 ID Experts — MyIDCare Breach Response
✓ BAA Available
Breach Response
Healthcare-focused breach response and identity protection services used by major health systems, health plans, and government agencies following HIPAA breach events. ID Experts provides end-to-end breach response including affected individual notification, credit and identity monitoring, resolution services, and regulatory compliance reporting to satisfy HHS notification requirements under 45 CFR §§ 164.404 and 164.408.
- HIPAA-compliant breach notification letters and individual notification fulfillment
- MyIDCare identity monitoring and resolution for breach-affected individuals
- HHS OCR breach reporting support and documentation for § 164.408 compliance
Regulatory Relevance: 45 CFR § 164.404 — Individual Notification; § 164.408 — Notification to HHS; § 164.406 — Media Notification
🔒 Solutionary — Healthcare Managed Security & Incident Response
✓ BAA Available
Breach Response
Incident Response
Managed security and incident response services for healthcare organizations needing 24/7 Security Operations Center (SOC) coverage. Provides breach investigation, digital forensics, containment, eradication, and recovery services with healthcare-specific expertise. Assists covered entities in conducting the required breach risk assessment under 45 CFR § 164.402 to determine whether a security incident constitutes a notifiable breach.
- 24/7 SOC monitoring with healthcare-specific threat intelligence and triage
- Digital forensics and breach scope investigation for OCR-compliant documentation
- Breach risk assessment under the four-factor test of 45 CFR § 164.402
Regulatory Relevance: 45 CFR § 164.402 — Breach Risk Assessment; § 164.308(a)(6) — Security Incident Procedures
🔒 Protenus — Healthcare Compliance Analytics
✓ BAA Available
Breach Response / Analytics
AI-powered healthcare compliance analytics platform that monitors EHR audit logs to detect insider threats, inappropriate PHI access, and policy violations before they become reportable breaches. Protenus analyzes every EHR access event and surfaces anomalous behavior — enabling healthcare organizations to investigate and address potential HIPAA violations proactively, reducing breach notification obligations.
- AI analysis of 100% of EHR access events — no sampling, full audit coverage
- Detection of insider snooping, VIP patient access, and inappropriate disclosures
- Automated investigation workflow with incident documentation for OCR defense
Regulatory Relevance: 45 CFR § 164.312(b) — Audit Controls; § 164.308(a)(1)(ii)(D) — Information System Activity Review