BBAA Atlas

Is GitHub HIPAA compliant?

Developer platform · vendor site ↗

BAA on select plansPHI with conditions
Will GitHub sign a HIPAA BAA?
Sometimes — GitHub signs a HIPAA BAA only on specific plans or add-ons.
GitHub (Microsoft-owned) does not offer a BAA on GitHub.com Free/Pro/Team plans; a HIPAA BAA covering GitHub Enterprise is obtained through Microsoft's enterprise agreement channel and Online Services Terms.
PHI eligibility
PHI should never be placed in standard-plan repos; it is permissible only under a Microsoft-executed BAA covering GitHub Enterprise services.
SOC 2
Not publicly confirmed
Trust center
github.com
Sub-processors
Notes
GitHub does not publish an authoritative HIPAA/BAA page on its own domain; the Enterprise-via-Microsoft path should be confirmed with a Microsoft account rep.
Last verified 2026-05-31confidence: low· Vendor terms change — confirm directly with GitHub before storing PHI.

Get notified when this changes

We track GitHub's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with GitHub

Sometimes — GitHub signs a HIPAA BAA only on specific plans or add-ons.

Request routeBy request — via trust center or support
  1. 1
    Get on a qualifying plan
    GitHub (Microsoft-owned) does not offer a BAA on GitHub.com Free/Pro/Team plans; a HIPAA BAA covering GitHub Enterprise is obtained through Microsoft's enterprise agreement channel and Online Services Terms.
  2. 2
    Request the Business Associate Agreement
    GitHub provides the BAA on request. Open a request through GitHub's trust center and ask for the current Business Associate Agreement covering your plan.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI should never be placed in standard-plan repos; it is permissible only under a Microsoft-executed BAA covering GitHub Enterprise services. Match your configuration to this scope before putting protected health information into GitHub.
Before you sign — watch for
  • No BAA on the free / consumer tier — you must be on a qualifying paid plan first.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with GitHub before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does GitHub sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — GitHub signs a HIPAA BAA only on specific plans or add-ons. GitHub (Microsoft-owned) does not offer a BAA on GitHub.com Free/Pro/Team plans; a HIPAA BAA covering GitHub Enterprise is obtained through Microsoft's enterprise agreement channel and Online Services Terms.
Is GitHub HIPAA compliant?
GitHub can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). PHI should never be placed in standard-plan repos; it is permissible only under a Microsoft-executed BAA covering GitHub Enterprise services.
Can you store PHI (protected health information) in GitHub?
PHI should never be placed in standard-plan repos; it is permissible only under a Microsoft-executed BAA covering GitHub Enterprise services.
Is GitHub SOC 2 certified?
We could not confirm a public SOC 2 report for GitHub. SOC 2 is separate from a HIPAA BAA — confirm both directly with GitHub.
How do I request a HIPAA BAA from GitHub?
GitHub provides the BAA on request. Open a request through GitHub's trust center and ask for the current Business Associate Agreement covering your plan. Confirm current terms directly with GitHub before storing PHI.
What plan do I need to sign a BAA with GitHub?
GitHub (Microsoft-owned) does not offer a BAA on GitHub.com Free/Pro/Team plans; a HIPAA BAA covering GitHub Enterprise is obtained through Microsoft's enterprise agreement channel and Online Services Terms.

Sources

GitHub Trust Center
https://github.com/trust-center
Supports: GitHub's own trust page does not publish a HIPAA/BAA statement, confirming no self-service BAA on standard plansdated: undated
HIPAA & HITECH Act — Microsoft Compliance
https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech
Supports: Microsoft's HIPAA BAA covers in-scope enterprise online services, the channel through which GitHub Enterprise coverage is obtaineddated: 2026-04-08
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with GitHub before processing protected health information.

Check another vendor

SupabaseBAA on select plansActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plans

See all HIPAA compliant cloud infrastructure & hosting
Browse all 105 vendors by category →