Skip to main content
If you’re a HIPAA Business Associate, every vendor that touches protected health information (PHI) on your behalf needs a signed Business Associate Agreement (BAA). When your customer (the Covered Entity) audits you, they’ll ask for your BAA inventory. Codex tracks BAAs alongside vendor metadata so that inventory is always current — not a stale spreadsheet your CFO last touched 18 months ago.

What Codex tracks per vendor

Vendor: Slack Technologies
BAA status: signed ✓
BAA signed date: 2024-08-15
BAA version: Slack Enterprise BAA, v3
Expiration: none (renews with subscription)
Document storage: Linked Google Drive PDF (read-only audit access)
PHI scope: messages, file attachments
Annual review: due 2026-08-15 (next required attestation)
Owner: alice@axiomancer.io

Vendor categories

Codex classifies every vendor into one of three buckets:

1. PHI-handling — BAA required

The vendor processes, stores, or transmits PHI. Examples:
  • Cloud infrastructure (AWS, GCP, Azure, Cloudflare)
  • Communication (Slack, Microsoft 365, Google Workspace, Zoom)
  • Customer support (Zendesk, Intercom, Front)
  • Analytics where PHI may flow (Mixpanel, Amplitude, Segment)
  • File storage (Box, Dropbox, OneDrive)
  • Backup (Datto, Veeam)
Codex flags these as BAA-required and prompts you to confirm BAA status.

2. Adjacent — BAA not required, due-diligence still useful

The vendor doesn’t see PHI directly but has access to systems that handle PHI. Examples:
  • Code repositories (GitHub, GitLab) — code may reference PHI schemas but doesn’t store PHI
  • IaC + CI/CD — Terraform, GitHub Actions, CircleCI
  • Monitoring without log content (Datadog Metrics, but not Datadog Logs)
Codex tracks these with “BAA not required” justification but still expects vendor risk assessment evidence.

3. Internal-only — no PHI exposure

Pure internal tooling: Linear, Notion (if you don’t paste PHI in pages), Figma. No BAA, no risk assessment required.

BAA inventory workflow

1

Codex auto-discovers vendors

Connectors to your IdP, finance, and email scanner surface every SaaS vendor your company uses. Codex tags each as BAA-required, adjacent, or internal-only based on category + PHI-likelihood heuristics.
2

You review and confirm classification

Open Vendors → Review and override Codex’s classification where wrong. Most companies have ~10-15 BAA-required vendors and 30-50 total.
3

For each BAA-required vendor, attach the signed BAA

Upload the PDF (or paste a Google Drive link). Codex extracts the signed date and version.
4

Codex sends renewal reminders

For BAAs with expiration dates, reminders fire at 90d / 30d / 7d / 0d before expiry. For BAAs that renew indefinitely with the subscription, Codex sends an annual attestation reminder so a human re-confirms the BAA is still in force.
5

Audit export

Reports → BAA inventory outputs a CSV + PDF with current status for every vendor. Hand to your customer’s audit team.

What auditors check on a BAA

When your customer reviews your BAA inventory, they’re verifying:
  1. Coverage — every vendor that touches PHI has a BAA. Codex’s classification step surfaces gaps.
  2. Currency — BAAs are signed and unexpired. Codex’s renewal reminders prevent silent expirations.
  3. Scope — the BAA covers the actual data flow. If you started using a vendor’s new feature that handles PHI in a way the BAA doesn’t anticipate, that’s a gap.
  4. Subprocessor cascading — if your vendor uses subprocessors (e.g. Slack uses AWS), the BAA must permit that and your vendor must have BAAs with their subprocessors. Codex tracks this transitively when the vendor publishes a subprocessor list.

What happens when a vendor refuses to sign a BAA

Some smaller SaaS vendors don’t offer BAAs. Three options:
  1. Replace the vendor with one that signs BAAs (cleanest but expensive).
  2. Eliminate PHI from that integration — work with the vendor team to confirm only non-PHI data flows. Document this in Codex with the technical control that prevents PHI from leaking.
  3. Accept the risk — only viable for very narrow exposure with strong customer notification. Codex stores the risk acceptance memo with sign-off from your privacy officer.
The third option is rarely the right call. Most enterprise customers will reject a Business Associate that has un-BAAed PHI-touching vendors regardless of memos.

Common gotchas

  • OAuth-installed apps add new BAA-required vendors silently. If a developer connects PagerDuty to your Slack workspace, PagerDuty is now seeing channel data. Codex’s IdP integration discovers OAuth grants and surfaces them as new vendors awaiting classification.
  • Free tools used by individual employees (Grammarly, Calendly, etc.) often lack BAAs. Codex’s email scanner detects sign-up confirmations, surfaces the vendor, and prompts the employee to either uninstall or get IT to procure a BAA-eligible plan.
  • AI vendors (OpenAI, Anthropic) require special attention — many enterprise tiers offer BAAs but consumer/individual plans don’t. Codex flags AI vendor sign-ups specifically because the PHI risk is so high.