Most SaaS security pages read like a wall of badges. SOC 2, GDPR, ISO 27001, a green check next to each one. HIPAA is usually on that wall too, and it is the one badge that does not mean what the others mean.
SOC 2 is something a vendor earns once and shows everyone. HIPAA is something a vendor agrees to with you, in a signed contract called a Business Associate Agreement, and only then can you legally put protected health information into the tool. No BAA, no PHI. It does not matter how many badges are on the page.
So we went looking for the BAA. We pulled the compliance posture for every tool on the Topickz review desk where we track it, 266 unique B2B SaaS products across six categories, and asked one blunt question of each. Will you sign a BAA, and what does it cost to be allowed to.
The short version: most tools will not sign at all, and the ones that will treat HIPAA as the velvet rope into their most expensive tier.
What we measured
This is not a survey. We did not ask vendors how they feel about healthcare. We read what they publish, the security pages, the trust centers, the BAA terms, and the pricing, the way a buyer evaluating PHI risk would, and we recorded two things for each tool.
First, will the vendor sign a BAA at all. A tool with no BAA cannot be used with PHI, full stop, no matter how secure it is. Second, for the tools that will sign, which plan unlocks it: a standard paid plan, or the top enterprise tier, or a paid add-on, or a sales-only contract you cannot reach without a call.
Every named tool in this report was re-verified live against the vendor’s own documentation in June 2026. Our methodology covers how the review desk tracks compliance.
One honesty note up front, because it changed our own numbers. An early cut used the compliance tags from our category reviews as-is, and several tools were tagged as including HIPAA on a “standard” plan. When we re-checked those live, some of them were wrong in the vendor’s favor. Salesforce was the clearest case. We had it as standard, but a BAA only applies to Enterprise and Unlimited editions, and real PHI work runs on Health Cloud, a separate product. Sales Cloud out of the box is not HIPAA-eligible. So the tax below is, if anything, undercounted.
The BAA wall
Start with the number that decides everything else. Of 266 tools, only 76 will sign a BAA. That is 29%. The other 190 tools, 71% of the market we checked, offer no HIPAA path at all.
For a lot of buyers that is a quiet shock. A clinic, a digital health startup, a billing company, an insurer, anyone who touches PHI, walks into the SaaS market assuming the tools they already know are an option. Most of them are not. The shortlist for a PHI-handling team is a quarter the size of the shortlist everyone else gets.
And it is not the tool being insecure. Plenty of the 190 hold SOC 2 and encrypt everything. They simply will not take on the legal liability of a BAA, so the door is closed before security even enters the conversation.
The tax
Now the part that earns this report its name. Look only at the 76 tools that will sign a BAA, and the gating is brutal. More than 70% of them, 54 tools, put HIPAA behind their single most expensive tier, a paid add-on, or a sales-only contract. Fewer than 1 in 10 tools across the whole sample include it on a plan a normal team would actually buy.
Here is the tax in tools you already know.
| Tool | HIPAA available on | The catch |
|---|---|---|
| HubSpot | Enterprise + signed BAA | ~$3,600/mo minimum and a $7,000 onboarding fee; reporting and analytics are not covered by the BAA |
| Salesforce | Enterprise / Unlimited + Health Cloud | Sales Cloud is not HIPAA-eligible out of the box |
| Monday.com | Enterprise only | 25-user minimum; the broadcast feature is disabled on HIPAA accounts |
| ClickUp | Enterprise only | No BAA on any of the three lower plans |
| Notion | Enterprise only | Free of charge once you are on Enterprise, but the Notion AI add-on is not covered |
| Asana | Enterprise + signed BAA | Activates around 24 hours after a Super Admin accepts the BAA |
| Grammarly | Enterprise only | 100-seat minimum to qualify for a BAA |
None of these are obscure. They are the default tools a growing company already runs on, and the moment that company has to handle PHI, the price of staying on them jumps to the enterprise tier or the tool drops off the list entirely.
The categories that gate hardest
The pattern is not random across categories, and it tracks who handles health data and who does not.
Data and analytics tools gate HIPAA the hardest. Almost every analytics tool that supports it at all makes you pay for a top tier first, which makes a grim kind of sense: the tools most likely to aggregate sensitive records are the least willing to let you near PHI without an enterprise contract.
HR and recruiting software is the friendliest, relatively speaking. It has the highest share of tools that support HIPAA, because HR platforms already sit on benefits, payroll, and health data, so a BAA is part of the job. Workday, ADP, Paychex, Rippling, and the enterprise HR suites treat it as table stakes.
Marketing is the desert. More than 8 in 10 marketing tools we checked will not sign a BAA at all. A hospital that wants to run patient communications through a normal marketing platform finds that almost none of them are an option, which is exactly why HIPAA-specific marketing tools exist and charge a premium.
Why HIPAA is an upsell
None of this is pure greed, and it helps to say so plainly. A BAA is real legal liability. Supporting PHI properly means isolating infrastructure, restricting features, adding audit trails, and accepting breach exposure that a project management tool would rather not carry. That costs money, and the cost is real.
But the way it is priced gives the game away. HIPAA is almost never sold as a feature with a feature’s price. It is sold as a customer segment. The companies that need a BAA, hospitals and clinics and health-tech and insurers, are exactly the companies with procurement budgets, so the BAA becomes the cleanest possible filter for “this buyer can afford enterprise.”
The tells are everywhere once you see them. Seat minimums that have nothing to do with PHI risk, Monday at 25 users, Grammarly at 100. Standalone products like Salesforce Health Cloud. BAAs that pointedly exclude the newest, most-hyped features, like Notion holding its AI add-on out of coverage. HIPAA is not priced by what it costs to deliver. It is priced by who is desperate enough to need it.
What buyers should do
Treat a BAA as an enterprise purchase from day one. If your team touches PHI, the affordable tier you budgeted around almost certainly will not sign one, so model your cost at the enterprise tier before you fall in love with the cheap plan. On the data here, that is the rule, not the exception.
Get the BAA terms in writing before you commit, and read what is excluded. A signed BAA with holes in it is worse than none, because it feels safe. HubSpot’s BAA does not cover reporting and analytics. Notion’s does not cover its AI add-on. The exclusions are where teams accidentally move PHI into an uncovered feature and break compliance without knowing it.
Watch the seat minimums. A five-person clinic cannot buy into Grammarly’s 100-seat floor, and a small practice does not need 25 Monday.com users. The minimum is the price, even when the per-seat number looks reasonable.
And remember that “HIPAA compliant” on a marketing page is not a certification, because no such certification exists. What exists is a signed BAA plus a configuration that actually covers the features you use. Everything else is a badge on a wall.
Methodology
Sample: 266 unique B2B SaaS products for which the Topickz review desk records HIPAA posture, spanning six categories (sales, marketing, HR and recruiting, operations, data and analytics, developer tools). Categories where we do not yet track compliance uniformly (finance, security, collaboration, customer success) are excluded from this cut, and we will widen the sample in the next refresh.
Collection: for each tool we recorded whether the vendor will sign a Business Associate Agreement and, where it will, the lowest plan that unlocks it. Sources were vendor security pages, trust centers, published BAA terms, help documentation, and pricing pages. Every tool named in this report was re-verified live in June 2026.
Definitions: “supports HIPAA” means the vendor will sign a BAA, the only thing that makes PHI use lawful. “Gated” means HIPAA requires the top enterprise tier, a paid add-on, or a sales-only contract rather than a standard published plan. We do not treat any security badge as HIPAA support on its own, because HIPAA has no certification.
Limitation we will own: BAA availability and tier-gating change often, and a few vendors disclose terms only under NDA. Where a vendor’s public documentation was ambiguous, we counted it conservatively against the tax, not for it.
This is original Topickz research. We will refresh it annually and widen the category coverage.
Cite this report
Free to reference and republish with a link back to this page. Suggested credit: “Topickz HIPAA Tax Report 2026 (topickz.com/research/the-hipaa-tax-2026/).” All three graphics below are free to embed, and each carries the source link so the credit comes built in. Right-click any chart to save the PNG.
The access funnel (the main chart):
<a href="https://topickz.com/research/the-hipaa-tax-2026/">
<img src="https://topickz.com/images/research/hipaa-tax-funnel-2026.png"
alt="Topickz HIPAA Tax Report 2026: only 76 of 266 SaaS tools will sign a BAA" width="760">
</a>
<p>Source: <a href="https://topickz.com/research/the-hipaa-tax-2026/">Topickz HIPAA Tax Report 2026</a></p>
The named gating table (the tools and the catch):
<a href="https://topickz.com/research/the-hipaa-tax-2026/">
<img src="https://topickz.com/images/research/hipaa-tax-table-2026.png"
alt="Topickz HIPAA Tax Report 2026: HubSpot, Salesforce, Monday, ClickUp, Notion, Asana and Grammarly gate HIPAA behind enterprise" width="760">
</a>
<p>Source: <a href="https://topickz.com/research/the-hipaa-tax-2026/">Topickz HIPAA Tax Report 2026</a></p>
The summary card (best for social posts and slides):
<a href="https://topickz.com/research/the-hipaa-tax-2026/">
<img src="https://topickz.com/images/research/hipaa-tax-card-2026.png"
alt="Topickz HIPAA Tax Report 2026: 71% of HIPAA-capable SaaS tools lock it behind enterprise" width="600">
</a>
<p>Source: <a href="https://topickz.com/research/the-hipaa-tax-2026/">Topickz HIPAA Tax Report 2026</a></p>
Related reading: The SSO Tax Report 2026 , best IAM and SSO platforms , best help desk software , and our review methodology .