Is Zapier HIPAA Compliant? No — No BAA on Any Plan (2026)

No. Zapier is not HIPAA compliant on any plan — Free, Starter, Professional, Team, or Company. Zapier does not sign Business Associate Agreements (BAAs) and does not market itself as a HIPAA-eligible service.

This matters because Zapier is everywhere. It is the default automation glue between thousands of business tools, and many healthcare practices wire it up to bridge their EHR, scheduling, billing, email, and CRM systems. Most do this without realizing that every patient record flowing through Zapier is an unprotected PHI transmission — handled by a vendor that has no contractual obligation to safeguard it.

Here is what the gap looks like, where the exposure shows up, and what to use instead.

Why Zapier Fails HIPAA Requirements

The HIPAA Privacy and Security Rules require that any vendor handling PHI on behalf of a covered entity sign a BAA before receiving that data. A BAA defines the vendor's obligations, including breach notification, safeguard requirements, and downstream subcontractor controls. Zapier does not sign BAAs.

That single fact disqualifies Zapier from any workflow involving protected health information. The technical capabilities — encryption, access controls, audit logging — are not the issue. The contractual coverage is missing.

Beyond the BAA gap, the architecture of Zapier creates additional concerns even if a BAA were available.

Data flows through Zapier servers, not directly between apps. When you build a Zap, the data passes through Zapier's infrastructure, where it is processed, transformed, and then forwarded to the destination app. PHI in that pipeline sits — even briefly — on a vendor's systems with no contractual protections.

Zaps store run history. Zapier retains the input and output data of recent Zap runs, allowing you to inspect and replay them. PHI in run history is PHI in storage on a non-eligible vendor.

Webhooks and triggers expose PHI to multiple systems. A single Zap can connect three or four systems. Without a BAA on each, the PHI flows are uncovered at every step.

No HIPAA-specific configuration mode. Even on enterprise plans, Zapier offers no toggles, encryption enhancements, or workflow restrictions specifically for healthcare workloads.

Common Mistakes Practices Make with Zapier

Connecting an EHR to Zapier to push patient data into a CRM. This is the most common pattern. The CRM may have a BAA. The EHR may have a BAA. Zapier in the middle has none — every record passing through is uncovered PHI.

Using Zapier to route appointment confirmations to email. A Zap that triggers on new appointments and emails the patient creates a PHI flow through Zapier and through any non-BAA email system at the end of it.

Syncing intake form responses to Slack or Microsoft Teams. When intake responses include visit reasons, symptoms, or insurance information, the Zap is moving PHI through three systems — the form, Zapier, and the chat platform — none of which may have a HIPAA agreement in place.

Backing up form submissions to Google Sheets or Airtable via Zapier. Without a Google Workspace BAA covering Sheets, and without any BAA on Zapier, the backup is a permanent PHI archive on uncovered infrastructure.

Using Zapier filters to "redact" PHI before it lands in another system. Filters and formatters do not legally separate PHI from non-PHI when the input contained PHI in the first place. The data already passed through Zapier's pipeline.

Treating Zapier as invisible plumbing. Many practices map their compliance footprint by listing the apps they use. Zapier rarely appears on those lists because it is automation glue rather than a destination. The omission is the most dangerous part.

Using built-in Zapier email or scheduling features. Some Zaps use Zapier's native email or scheduling triggers. The native steps are run inside Zapier — not on a downstream app — making them direct PHI transmissions through a non-eligible vendor.

What Zapier's Lack of a BAA Actually Means

A BAA is a contract. Without it, three things are true regardless of how Zapier is configured.

You have no breach notification clause. If Zapier suffers a security incident affecting your data, you have no contractual right to be notified within HIPAA's required timeframes. You may not learn about the exposure at all.

You have no safeguard commitments in writing. Zapier may use industry-standard encryption and access controls, but those are vendor commitments — not legal obligations to your practice. They can change without notice.

You bear the full regulatory exposure. When PHI is processed by an uncontracted vendor, the covered entity owns 100% of the violation. There is no downstream entity to share the enforcement risk with.

OCR has historically pursued covered entities and their business associates separately when uncontracted PHI handling surfaces. The pattern is consistent: missing BAAs are treated as standalone violations even without an associated breach.

HIPAA-Compliant Alternatives to Zapier

The "no-code automation" category includes platforms that do sign BAAs. Each operates differently and serves different use cases.

Workato. Enterprise iPaaS platform that signs BAAs on appropriate enterprise contracts. More complex than Zapier but built for regulated workloads.

Make (formerly Integromat). Some plan tiers offer HIPAA-eligible options. Verify current BAA availability and the specific plan that supports it.

Tray.io. Enterprise integration platform with BAA availability on contracted plans.

MuleSoft. Owned by Salesforce, used heavily in healthcare. HIPAA-eligible on enterprise contracts as part of Salesforce's overall framework.

Native integrations between HIPAA-eligible platforms. Many EHRs, scheduling tools, and CRMs offer direct integrations that operate under each system's own BAA, without an automation middleman. This is often the simplest answer.

Custom code on HIPAA-eligible cloud infrastructure. AWS Lambda, Azure Functions, or Google Cloud Functions deployed under their respective BAAs can replace Zapier-style workflows for organizations with engineering capacity.

For practices that want the no-code convenience of Zapier without the compliance gap, Workato and HIPAA-eligible Make plans are the closest functional substitutes.

Where Workflow Automation Fits in Your Compliance Program

Automation tools are often the most-overlooked part of a compliance program. They are invisible plumbing — they do not show up in EHR audits, they do not appear in vendor management spreadsheets, and they rarely come up in staff training.

That invisibility is the risk. A single Zap built three years ago by a former office manager can still be moving patient data between systems with no BAA, no documentation, and no monitoring.

Patient Protect maps your full data flow including automation tools, identifies every vendor in the pipeline, and flags BAA gaps before they become enforcement actions.

Frequently Asked Questions

Does Zapier sign a BAA on any tier?

No. Zapier does not sign BAAs on Free, Starter, Professional, Team, or Company plans. The lack of a BAA is a deliberate product positioning, not a configuration gap.

Can I use Zapier if I do not include obvious PHI in the Zap?

The risk is high and the answer is rarely yes. Even a Zap that moves "just" a name and an email address can become PHI when the context implies a healthcare relationship — for example, when the source app is a patient portal or the destination app is a care coordination tool. Zapier prohibits PHI under its terms regardless of how minimal the data appears.

What about Zapier Tables or Zapier Storage?

Zapier's native data products — Tables, Storage, Interfaces — sit on the same infrastructure. Without a BAA, none of them are HIPAA-eligible. PHI in a Zapier Table is PHI on a non-eligible vendor's systems.

Does encryption in Zapier change the answer?

No. Encryption is a technical safeguard. The HIPAA contractual requirement — a signed BAA — is independent of encryption. Even strongly encrypted data at a vendor without a BAA is a compliance violation.

What is the cleanest fix for an existing Zapier workflow handling PHI?

The cleanest fix is to replace Zapier in the workflow. Either use native integrations between HIPAA-eligible apps, move the workflow to a HIPAA-eligible automation platform with a BAA, or rebuild it as a custom integration on HIPAA-eligible cloud infrastructure. Disabling the Zap and documenting the historical exposure is the first step.

Can I keep using Zapier for non-PHI workflows?

Yes — Zapier is fine for marketing, internal operations, lead routing on non-healthcare audiences, and any workflow that does not touch patient data. The boundary is PHI, not Zapier itself.

---

Patient Protect tracks your full compliance program — including automation platforms, integrations, and data flow gaps — starting at $39/month.