Vendor compliance profile
Is Zapier HIPAA compliant?
Zapier should not be used to automate workflows involving PHI. Zapier's own HIPAA guidance says it is not HIPAA compliant and should not be used to store, send, or automate protected health information, even though Zapier maintains SOC 2 security evidence.
HIPAA status signal
Not supported for PHI
BAA public signal
Unable to confirm
SOC 2 evidence signal
Public evidence
PHI warning: Zaps can copy PHI across forms, CRMs, spreadsheets, email, AI tools, storage, webhooks, logs, task history, and connected app metadata.
Search query answers
Is Zapier HIPAA compliant?
No. Zapier's public HIPAA guidance says Zapier is not HIPAA compliant and should not be used to store, send, or automate protected health information.
Can Zapier be used for HIPAA workflows with a BAA?
ComplySaaS was unable to confirm public BAA availability that would make Zapier suitable for PHI automation. Treat Zapier as out of scope for regulated PHI workflows unless Zapier directly provides current written coverage for the exact product and use case.
Does Zapier SOC 2 make it safe for PHI?
No. Zapier's SOC 2 evidence can support security review, but it does not override Zapier's own HIPAA limitation or authorize task history, webhooks, AI steps, forms, CRMs, or spreadsheets to process PHI.
HIPAA, BAA, and SOC 2 summary
| HIPAA | Zapier states in its HIPAA guidance that it is not HIPAA compliant and that customers should not automate workflows involving PHI through Zapier. |
|---|---|
| BAA | Unable to confirm public BAA availability for PHI workflows. Treat Zapier as out of scope for regulated PHI automation unless Zapier directly provides current written terms for your exact product and workflow. |
| SOC 2 | Zapier's security and compliance documentation references SOC 2 Type II and SOC 3 reports available through its Trust Center. SOC evidence does not override the stated HIPAA limitation. |
| PHI risk | Zaps can copy PHI across forms, CRMs, spreadsheets, email, AI tools, storage, webhooks, logs, task history, and connected app metadata. |
| Category | HIPAA-Compliant Forms and Intake Software |
| Last checked | 2026-05-15 |
| Confidence | High |
Public evidence and open questions
What public sources say
- Zapier's public HIPAA guidance says Zapier is not HIPAA compliant.
- Zapier says customers should not use Zapier to store, send, or automate protected health information.
- Zapier security documentation references SOC 2 Type II and SOC 3 reports available through its Trust Center.
What remains unconfirmed
- A public BAA path for Zapier PHI workflows.
- Any covered scope for task history, webhooks, AI steps, app connections, logs, support access, or automation metadata involving PHI.
- Whether connected apps in a Zap each have separate BAA coverage and safe downstream configuration.
What it may be used for
- General business workflows that do not include PHI.
- Healthcare-adjacent operations after BAA scope and configuration have been verified.
- Vendor risk review, procurement research, and compliance planning.
What not to use it for
- Moving patient intake responses, diagnosis details, appointment reasons, files, or identifiers between SaaS tools.
- Using webhook payloads, task history, or AI automation with PHI.
- Treating SOC 2 evidence as permission to process PHI.
What to verify with the vendor
- Whether the vendor will sign a BAA for your exact product, plan, and use case.
- Which services, add-ons, regions, and support channels are covered by the agreement.
- Whether your intended workflow stores, transmits, or processes PHI.
- Which admin, access control, retention, audit log, and encryption settings must be enabled.
Safer alternatives and related profiles
FAQ
Is Zapier HIPAA compliant?
No. Zapier's public HIPAA guidance says Zapier is not HIPAA compliant and should not be used to store, send, or automate protected health information.
Can Zapier be used for HIPAA workflows with a BAA?
ComplySaaS was unable to confirm public BAA availability that would make Zapier suitable for PHI automation. Treat Zapier as out of scope for regulated PHI workflows unless Zapier directly provides current written coverage for the exact product and use case.
Does Zapier SOC 2 make it safe for PHI?
No. Zapier's SOC 2 evidence can support security review, but it does not override Zapier's own HIPAA limitation or authorize task history, webhooks, AI steps, forms, CRMs, or spreadsheets to process PHI.
Will Zapier sign a BAA?
Unable to confirm public BAA availability for PHI workflows. Treat Zapier as out of scope for regulated PHI automation unless Zapier directly provides current written terms for your exact product and workflow.
Can Zapier be used with PHI?
Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.
Does SOC 2 mean Zapier is HIPAA compliant?
No. SOC 2 evidence can support security diligence, but it does not prove HIPAA compliance, confirm BAA coverage, or approve PHI use. Review HIPAA terms, BAA scope, covered services, configuration, and intended workflow separately.
What should buyers verify before using Zapier with PHI?
Whether the vendor will sign a BAA for your exact product, plan, and use case. Which services, add-ons, regions, and support channels are covered by the agreement. Whether your intended workflow stores, transmits, or processes PHI. Which admin, access control, retention, audit log, and encryption settings must be enabled.
Last checked and source notes
- Last checked
- 2026-05-15
- Confidence
- High
- Dataset rows
- 268 vendors
- ComplySaaS public vendor dataset entry.
- Vendor trust center, legal terms, BAA documentation, and covered services should be re-checked before use.
- Zapier: Is Zapier HIPAA compliant?
- Zapier security and compliance