Hi everyone! We're setting up Airbyte Cloud for a healthcare customer of ours that’s HIPAA compliant, and I wanted to confirm Airbyte’s current stance on Business Associate Agreements (BAA). Does Airbyte Cloud support signing a BAA, or would we need to use the self-hosted OSS version to remain HIPAA compliant? Any guidance or links to official documentation would be greatly appreciated. Thanks! PS. We're on the standard plan

I'm sorry, but the knowledge sources do not explicitly mention whether Airbyte Cloud (including the Standard plan) supports signing a Business Associate Agreement (BAA) for HIPAA compliance. The documentation does confirm that Airbyte Cloud is designed with security in mind and lists HIPAA as one of the compliance frameworks organizations may need to consider, especially in the context of the Enterprise Flex offering, which allows for more control over data residency and security features. However, there is no direct statement about BAA support or official HIPAA certification for Airbyte Cloud itself on the Standard plan or any other plan. If your organization requires a signed BAA for HIPAA compliance, you may need to contact Airbyte directly to confirm their current policy regarding BAAs and HIPAA support for Airbyte Cloud. Alternatively, using the self-hosted OSS version would give you full control over your data and environment, which may be preferable for strict HIPAA compliance requirements, but again, this is not explicitly stated in the documentation. For further guidance, you can reach out to Airbyte via their official support channels as recommended in the documentation, or [talk to sales](https://airbyte.com/company/talk-to-sales) for enterprise-specific compliance questions, including BAAs and HIPAA requirements. [Enterprise Flex Overview](https://docs.airbyte.com/platform/next/enterprise-flex#overview) [Security Documentation](https://docs.airbyte.com/platform/next/operating-airbyte/security) If you need to ensure HIPAA compliance and a signed BAA, please confirm directly with Airbyte before proceeding.

is there anyone on this slack community whom I can DM for more information about this? @kapa.ai

A message from kapa.ai

I'm not certain, but under their Data Protection page there's an FAQ at the bottom:

Is Airbyte compliant with HIPAA?

Airbyte has determined with the support of its outside counsel that it qualifies as an information conduit for the purpose of HIPAA. This designation, however, is not a formal process and there is no third-party opinion or legal document for Airbyte to share.

The conduit exception is a HIPAA exclusion from the Omnibus Final Rule that applies to service providers that cannot be considered Business Associates because they do not have any way of accessing or storing electronic Protected Health Information (ePHI) during the performance of their service. Because a conduit is not a Business Associate, a Business Associate Agreement (BAA) is not required in order for a HIPAA-covered entity to use the conduit’s services.

The Department of Health and Human Services states in its guidance on Business Associates that “the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information. A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.”

TBH, the fastest way to get this question answered is to reach out to their sales team—they'll be very eager to help: https://airbyte.com/company/talk-to-sales Support could answer too, but from what I'm seeing around here they've been slammed lately so Sales will likely be the faster route (and I'm sure gets this question a lot). I also know that their new Enterprise Flex license means that Airbyte runs the control plane, but your actual syncs run in your own cloud infra (so only metadata lives in their system). So could be a good hybrid option for you depending on the details.