Is Your Tool Compliant?

Video Conferencing

Zoom is HIPAA compliant only when you sign a BAA with Zoom and enable required security settings. The free and Pro plans do not qualify. You must use Zoom for Healthcare or a Business+ plan with the BAA executed.

Video Conferencing

Google Meet is HIPAA compliant when used through Google Workspace (Business, Enterprise, or specific education/nonprofit tiers) with a signed BAA. The free consumer version of Google Meet is not HIPAA compliant.

Web Hosting

GoDaddy is NOT HIPAA compliant. They do not offer a BAA, do not provide the required technical safeguards for PHI, and their terms of service explicitly do not address HIPAA requirements. Do not use GoDaddy for any application that handles protected health information.

CRM

Several CRM platforms can be HIPAA compliant with proper configuration. Salesforce Health Cloud is purpose-built for healthcare. HubSpot offers a BAA on Enterprise plans. Freshsales and Zoho CRM also offer BAAs. Always verify BAA availability and configure access controls before storing PHI.

Email

Several email providers offer HIPAA-compliant email solutions. Paubox provides seamless encryption without requiring recipient action. Virtru adds encryption to Gmail and Outlook. Hushmail is designed for small healthcare practices. Google Workspace and Microsoft 365 can also be compliant with BAAs and proper configuration.

Cloud Storage

AWS S3, Azure Blob Storage, Google Cloud Storage, and Box all offer HIPAA-compliant cloud storage with signed BAAs. Each requires specific configuration including encryption, access controls, and audit logging to maintain compliance.

AI Assistant

ChatGPT is HIPAA compliant ONLY on the Enterprise plan, where OpenAI signs a BAA and does not use your data for training. Free, Plus, and Team plans are NOT compliant and must never be used with PHI. The OpenAI API also supports BAAs for developers building healthcare applications.

Email

Free Gmail is NOT HIPAA compliant. Google Workspace Gmail (Business, Enterprise plans) is HIPAA compliant when you sign the BAA in the Admin Console and configure security settings. Even with Workspace, Gmail does not provide end-to-end encryption for external recipients without third-party add-ons.

Productivity Suite

Google Workspace is HIPAA compliant when you sign the BAA in the Admin Console. Core services including Gmail, Drive, Meet, Docs, Sheets, Slides, Calendar, and Chat are all covered. However, additional Workspace services and third-party Marketplace apps may not be covered.

Video Conferencing

Several video conferencing platforms are HIPAA compliant with BAAs. Doxy.me is purpose-built for telehealth with no downloads required. Zoom for Healthcare offers a comprehensive BAA. Microsoft Teams and Google Meet are compliant through enterprise plans with BAAs. Each requires specific configuration.

Web Hosting

AWS, Microsoft Azure, Google Cloud Platform, Liquid Web, and Atlantic.Net all offer HIPAA-compliant hosting with BAAs. Major cloud providers require you to configure compliance yourself, while specialized providers offer pre-configured HIPAA hosting environments.

Telehealth

Purpose-built telehealth platforms like Doxy.me, SimplePractice, TheraNest, and VSee are all HIPAA compliant with included BAAs. The best choice depends on your practice size, specialty, and whether you need integrated EHR, billing, and scheduling features.

Team Messaging

Slack is HIPAA compliant ONLY on the Enterprise Grid plan with a signed BAA from Salesforce (Slack's parent company). Free, Pro, and Business+ plans do not qualify. Enterprise Grid provides the encryption, DLP, and admin controls required for HIPAA.

Cloud Storage

Dropbox is HIPAA compliant on Business Advanced and Enterprise plans with a signed BAA. Free, Plus, Professional, and Business Essentials plans are NOT compliant. Even on qualifying plans, you must configure sharing restrictions and access controls.

Team Collaboration

Microsoft Teams is HIPAA compliant with a Microsoft 365 Business or Enterprise BAA. The BAA covers Teams messaging, video, file sharing, and integrations with other M365 services. Configuration of DLP, retention, and access controls is required.

Project Management

Trello is NOT HIPAA compliant. Atlassian does not offer a BAA for Trello, and the platform is not designed for handling protected health information. Do not use Trello for patient tracking, care coordination, or any workflow involving PHI.

Cloud Infrastructure

AWS is SOC 2 Type II compliant. AWS publishes annual SOC 2 Type II reports audited by independent firms. The reports cover AWS infrastructure security, availability, and confidentiality controls. However, your use of AWS does not make your application SOC 2 compliant — the shared responsibility model applies.

Cloud Infrastructure

Google Cloud Platform is SOC 2 Type II compliant. Google publishes annual SOC 2 Type II reports covering Security, Availability, and Confidentiality Trust Services Criteria. Reports are available through the Google Cloud compliance reports manager.

Cloud Infrastructure

Microsoft Azure is SOC 2 Type II compliant with annual audits covering 200+ services. Reports cover Security, Availability, Confidentiality, and Processing Integrity criteria. Access reports through the Service Trust Portal.

CRM / SaaS

Salesforce is SOC 2 Type II compliant with annual independent audits. The report covers Sales Cloud, Service Cloud, Marketing Cloud, Salesforce Platform, and other products. Access reports through the Salesforce Trust portal.

Web Analytics

Google Analytics 4 (GA4) can be GDPR compliant when configured with consent mode, IP anonymization, EU data storage, and a proper cookie consent banner. However, some EU DPAs have taken stricter positions, so the compliance landscape remains evolving. Always implement a consent management platform and review your specific DPA's guidance.

Email Marketing

Mailchimp is GDPR compliant when you enable GDPR fields in signup forms, implement double opt-in, configure the data processing addendum, and properly handle consent and data subject requests. As a US-based processor, it relies on EU-US Data Privacy Framework for international transfers.

Marketing & CRM

HubSpot is GDPR compliant when you enable GDPR tools in account settings. HubSpot provides built-in consent management, cookie banners, lawful basis tracking, DPA, and DSAR tools. GDPR features must be manually enabled — they are not active by default.

Payment Processing

Stripe is PCI DSS Level 1 certified — the highest level of PCI compliance available. Stripe processes over hundreds of billions of dollars annually and undergoes annual PCI audits by qualified security assessors. Using Stripe with their recommended integration (Stripe.js/Elements) reduces your PCI scope to SAQ A or SAQ A-EP.

E-Commerce

Shopify is PCI DSS Level 1 compliant across all plans — including Basic, Shopify, and Advanced. Every Shopify store automatically benefits from PCI certification without any additional configuration. Shopify handles all card data storage and processing on their certified infrastructure.