Methodology

What we answer

For each vendor we record one primary verdict: will it sign a HIPAA Business Associate Agreement (BAA) — yes, no, or only on certain plans — and whether you can store protected health information (PHI) in it. SOC 2 type, the trust center, and the sub-processor list are secondary fields.

How we source it

Every verdict is drawn from public, vendor-owned sources wherever possible: trust centers, security pages, BAA / HIPAA documentation, acceptable-use policies, and sub-processor lists. Each claim on a vendor page links the specific source it came from, with the date that source was published or last seen. Where a vendor page was unreachable, we fall back to a reputable secondary source and mark the confidence lower.

We deliberately do not infer BAA-willingness from a vendor merely "mentioning SOC 2" or marketing "bank-level security." A BAA is a specific signed contract; only a source that speaks to that contract counts.

Freshness

Each vendor carries a last-verified date. The dataset was last verified 2026-05-31. Vendor policies change — plan tiers get renamed, BAAs get added or pulled — so a verdict is a snapshot, not a permanent guarantee.

This is not legal advice

BAA Atlas is cited information to speed up vendor procurement research. It is not legal or compliance advice, and a verdict here does not substitute for your own diligence. Always confirm the current BAA and PHI terms directly with the vendor before storing protected health information.