A Business Associate Agreement (BAA) is a contract required by HIPAA (the US Health Insurance Portability and Accountability Act) between a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) and a business associate (any vendor who handles protected health information on the covered entity’s behalf).
If you are a medical practice, dental clinic, therapy service, or any healthcare entity regulated by HIPAA, and you use a third-party email service to communicate about patient health information, that email provider must sign a BAA with you.
Which email providers sign BAAs?
| Provider | BAA available | Notes |
|---|---|---|
| Google Workspace | Yes | Standard process via Admin Console |
| Microsoft 365 | Yes | Business Basic and above |
| Zoho Workplace | Conditional | Only on Enterprise tier; standard tiers: no |
| Fastmail | No | Explicitly not available |
| Proton Mail | No | Explicitly not available |
| Hostinger | No | Not available |
| Namecheap | No | Not available |
| GoDaddy | No | Not available |
For HIPAA-covered email use cases, only Google Workspace and Microsoft 365 are reliable choices. All others either do not sign BAAs or only do so conditionally at enterprise pricing.
What a BAA requires
A BAA must:
- Describe the permitted uses and disclosures of PHI by the business associate
- Require the business associate to use appropriate safeguards (including encryption at rest and in transit)
- Require reporting of breaches involving PHI
- Ensure subcontractors are also bound by equivalent agreements
Google Workspace’s BAA covers Gmail, Google Drive, Google Meet, and other Workspace services for PHI. Microsoft 365’s BAA covers Exchange Online, SharePoint, Teams, and OneDrive.
The encryption-is-not-enough misconception
A common mistake: assuming that because Proton Mail has stronger encryption than Google Workspace, it is a better choice for HIPAA compliance. This is incorrect. HIPAA compliance is a legal requirement, not a technical one. Proton Mail explicitly does not sign BAAs. An encrypted inbox with no BAA is not HIPAA-compliant for covered entities.
SRA compliance (UK law firms)
UK solicitors are bound by SRA (Solicitors Regulation Authority) rules on client confidentiality. While the SRA does not require a BAA equivalent, it does require firms to take reasonable steps to protect client communications. For law firms handling sensitive client correspondence, Google Workspace or Microsoft 365 — with their documented security frameworks and DPA signing — provide a more defensible audit position than budget shared-IP hosts.
GDPR Article 28 note
GDPR requires covered entities to have a Data Processing Agreement (DPA) with any processor handling personal data of EU residents. This is similar in structure to a BAA but applies to all personal data, not just health information. Both Google Workspace and Microsoft 365 provide standard DPAs.
See also: Data Processing Agreement (DPA) and GDPR Article 28.