🚀 Amit's Blog
Amit Kothari Amit Kothari
· AI

CEO of Tallyfy · AI advisor at Blue Sheen for mid-size companies

The BAA for Claude Code is narrower than it looks

Is there a BAA for Claude Code? Yes, but the coverage is narrow. A BAA can cover the Claude Code CLI, but only with Zero Data Retention enabled, and the self-serve Enterprise HIPAA toggle does not include it. What is covered, what is not, and why.

Quick answers

Can a BAA cover Claude Code? Yes, but only the CLI and Desktop local mode, and only with Zero Data Retention enabled on the account.

Does the Enterprise HIPAA toggle cover it? No. Bundled Claude Code seats are not covered by the Enterprise clickthrough BAA. That path covers chat only.

Is Zero Data Retention self-serve? No. It is for qualified accounts and goes through Anthropic sales.

Is there a BAA for Claude Code? The short version is yes, and the short version is also where healthcare teams get into trouble, because the coverage is narrow enough that stopping at yes will mislead you.

A Business Associate Agreement is the contract that lets a HIPAA-covered entity, a healthcare provider or one of its partners, hand protected health information to an outside vendor. No BAA, no PHI. So for any healthcare organization that wants Claude Code in a workflow touching patient data, the BAA is the gate, and the full answer has three parts, not one.

Yes, Anthropic will place Claude Code under a BAA. But only some ways of running Claude Code, not all of them. And only when Zero Data Retention is switched on for the account, which is not a setting you can switch on yourself.

Each qualifier narrows the answer, and the distance between “a BAA covers Claude Code” and what is actually covered is exactly where a healthcare team can put PHI somewhere it should not be. This post walks the real coverage, straight from Anthropic’s BAA documentation, and ends on the point that matters most: a signed BAA is not the same thing as being HIPAA compliant.

What a BAA is

A Business Associate Agreement is a specific instrument under HIPAA, not a general security promise. HIPAA splits the world into covered entities, the healthcare providers, plans, and clearinghouses that hold patient data, and business associates, the outside vendors that handle that data on a covered entity’s behalf. A BAA is the contract between the two. It binds the vendor to protect the protected health information it receives, to use it only as agreed, to report breaches, and to extend the same obligations to its own subcontractors. The reason it is the gate is blunt: under HIPAA, a covered entity that lets a vendor touch PHI without a BAA in place has itself committed a violation, regardless of how careful the vendor turns out to be. So before any healthcare team weighs whether Claude Code is good at a task, it has to answer a prior question. Is this use of it even permitted? The BAA is what makes the answer yes.

Two things follow from that, and they shape the rest of this post. The first is that a vendor either offers a BAA or it does not, and that single fact is the first filter on any AI tool a healthcare team considers, ahead of price or capability. Anthropic clears that filter, which is the starting point for the broader question of whether Claude is HIPAA compliant at all. The second point is quieter and gets lost: a BAA is a contract about the vendor, and a contract about the vendor leaves most of HIPAA untouched. We will come back to that. For now, hold the distinction, because the coverage detail only matters once you know the BAA is the door and not the room.

What the BAA covers

Here is the coverage, straight from Anthropic’s BAA documentation. Two things are covered cleanly: the Messages API, which is the first-party API, and Claude Enterprise’s chat experience once an administrator has turned HIPAA compliance on. Claude Code is the conditional case. The command-line tool can be covered, but only on specific paths, the CLI run through the first-party API console, the CLI run through Enterprise OAuth, and Desktop local mode, and only when Zero Data Retention is enabled on the account. Several ways of running Claude Code are not covered at all: Desktop remote mode, the beta web version, and beta features around it such as code review and computer use. And a list of products sits outside any BAA altogether: Workbench and Console, the Free, Pro, Max, and Team plans, Cowork, and beta surfaces like Claude in Office. The headline “Claude Code can be covered” is true. It is also four qualifiers deep.

BAA coverage: Messages API and Enterprise chat are covered, the Claude Code CLI only with Zero Data Retention, consumer plans not covered

One date is worth knowing if you already hold a BAA. Anthropic revised the agreement in April 2026, and versions signed after April 1 cover a wider set of Messages API capabilities, including prompt caching, structured outputs, the memory tool, web search, and the bash and text-editor tools. If your BAA predates that revision, the feature you want to use may sit outside it even though the API itself is covered. The fix is not exotic. It is checking the date on the document you actually signed, and re-signing the current version if you need the newer coverage.

It helps to see why the covered list is the covered list. The paths that can be covered share a property: the data takes a controlled route. The CLI through the first-party API console and the CLI through Enterprise OAuth both keep the request on a path Anthropic can put under contract, and so does Desktop local mode. The excluded paths tend to be the newer or more loosely-bounded ones. Desktop remote mode and the beta web version move the work somewhere the BAA does not yet reach, and the beta features sitting around Claude Code, code review and computer use among them, are excluded for the ordinary reason beta features usually are: they are still moving. None of that is permanent. Beta features graduate and coverage lists get revised. The discipline is to check the list as it stands on the day you deploy, not as a guide described it six months earlier.

Why retention is the gate

Why does Zero Data Retention sit in the middle of this? Start with what retention means. By default, an AI provider keeps some record of requests and responses for a period, for reasons like abuse monitoring and debugging. Zero Data Retention is an arrangement where the provider does not retain the inputs and outputs after a request finishes. For a workflow handling PHI, that distinction is large. Retained data is data that has to be secured, access-controlled, included in audits, and accounted for if there is ever a breach. Data that was never retained is none of those things. So Anthropic ties Claude Code’s BAA coverage to ZDR deliberately. It is willing to stand behind Claude Code as a place PHI can flow, but only once the retention surface has been removed first. ZDR is not a paperwork detail bolted onto the BAA. It is the technical condition that makes a BAA over Claude Code possible at all.

This is also why the scope of a Zero Data Retention agreement is worth reading closely rather than assuming. ZDR and BAA coverage are linked but they are not identical lists, and Anthropic documents the data retention behavior of each surface separately. The practical takeaway is that “we have a BAA” and “this specific way we are running Claude Code is covered” are two different claims, and a healthcare team needs the second one to be true, not just the first.

Two practical points about ZDR follow from this. It is arranged at the level of an organization or account, not toggled per request, so it is a posture the whole account takes on rather than a per-task choice a developer makes. And the phrase Anthropic uses, qualified accounts only, is doing real work. ZDR is not a checkbox available to everyone who asks; it goes through a sales conversation in which the account is assessed first. For a healthcare team that reads as friction, and it is, but the friction is the point. The arrangement that removes the retention surface is one Anthropic enters deliberately, with both sides clear on what is being agreed.

There is a planning consequence in that. Because ZDR runs through a sales conversation and an account assessment, it is not something a healthcare team can arrange the afternoon before a launch. It has a lead time, measured in the back-and-forth of a procurement process rather than the seconds of a settings toggle. A team that discovers, late, that its Claude Code workflow needs ZDR has not found a quick fix; it has found a dependency on someone else’s calendar. The practical move is to start that conversation early, in parallel with the build, not after it. Treat ZDR like any other long-lead procurement item, the kind of dependency you would never leave to the final week of a project, and the agreement that decides whether your AI tool may legally touch patient data should sit on exactly that timeline.

The two ways to sign

There are two doors to a BAA, and the convenient one does not fit Claude Code. The first door is the Enterprise clickthrough. An Enterprise administrator opens Organization settings, finds HIPAA Compliance under Data and privacy, reviews the BAA and an implementation guide, and clicks to accept. It is fast, it is self-serve, and Anthropic notes it is a one-way decision that cannot be reversed from admin settings afterward. But that path has a hard limit written into it: bundled Claude Code seats are not part of the HIPAA-ready Enterprise offering, and on that path only the chat experience is covered. The second door is sales. Zero Data Retention, which Claude Code coverage depends on, is available for qualified accounts only and is arranged by contacting an Anthropic sales representative. So the route that actually puts Claude Code under a BAA is the slower one. The clickthrough is not it.

That gap traps people. An administrator turns on HIPAA compliance, sees the BAA accepted, sees Claude Code seats in the same Enterprise plan, and reasonably assumes the two are connected. They are not. The clickthrough covered chat. Claude Code in that same plan is still outside the BAA until a separate ZDR arrangement is made through sales. The assumption is reasonable and it is wrong, and the cost of the mistake is not a billing surprise. It is PHI flowing through a tool that no contract covers, which is the exact situation HIPAA’s BAA requirement exists to prevent. Working out which door your organization needs, and whether Claude Code belongs in a PHI workflow at all, is worth settling before anyone writes a line of code. Worth a conversation for your situation? Reach out.

A BAA is the floor, not compliance

Get the BAA and you have done one necessary thing, not the whole thing. HIPAA’s Security Rule requires a covered entity to put administrative, physical, and technical safeguards in place, and almost none of those is satisfied by a vendor’s signature. A BAA settles the vendor relationship. It says nothing about whether your own staff have role-based access, whether you log which person viewed which record, whether you have run a risk assessment, trained your workforce, and written a breach-response procedure. It does not enforce minimum-necessary discipline, the rule that a worker should see only the PHI a task requires. Anthropic itself signals this. The HIPAA-ready Enterprise flow makes an administrator download an implementation guide alongside the BAA, because the agreement is the start of the work, not the end of it. A BAA is the floor you build compliance on top of. Treat it as the finished building and you have an audit waiting to happen.

It is worth being concrete about what that remaining work looks like, because “do the rest of HIPAA” is not an instruction anyone can act on. The administrative safeguards include a named security official and a workforce-training program, plus a documented risk analysis that is actually repeated rather than done once and filed. The technical safeguards cover access controls and audit logging on the systems that touch PHI, along with integrity protections on that data. The physical safeguards cover the facilities and devices themselves. A BAA with Anthropic touches none of it. It governs one vendor relationship inside a system that has many moving parts, and the covered entity owns the system.

So the practical sequence for a healthcare team eyeing Claude Code is short, and the order matters. First, decide whether the task even needs PHI at all, because the cleanest compliant workflow is one where the model never sees patient data. If it does need PHI, go through the sales conversation for Zero Data Retention, since that is the only path that puts the Claude Code CLI under a BAA. Then, and only then, do the work the BAA does not do: the access controls, the audit logging, the workforce training, the risk assessment. I have written more on running Claude in compliance-heavy environments and on where SOC 2 and HIPAA overlap, and the throughline of both is the same as here. The signature is the easy part. The build is everything after it. A BAA over Claude Code is real, and it is gettable. It is also narrower than the headline. The teams that stay out of trouble are the ones who treat it as the first brick, not the whole house.

claude-codehipaacompliancebaa

About the Author

Amit Kothari is an experienced consultant, advisor, coach, and educator specializing in AI and operations for executives and their companies. With 25+ years of experience, he is the Co-Founder & CEO of Tallyfy® (raised $3.6m, the Workflow Made Easy® platform) and Partner at Blue Sheen, an AI advisory firm for mid-size companies. He helps companies identify, plan, and implement practical AI solutions that actually work. Originally British and now based in St. Louis, MO, Amit combines deep technical expertise with real-world business understanding. Read Amit's full bio →

Disclaimer: The content in this article represents personal opinions based on extensive research and practical experience. While every effort has been made to ensure accuracy through data analysis and source verification, this should not be considered professional advice. Always consult with qualified professionals for decisions specific to your situation.

Contact me

Related Posts

View All Posts »
Design patterns for healthcare AI on Claude

Design patterns for healthcare AI on Claude

A signed BAA makes a Claude healthcare workflow legal, not safe. The engineering work is keeping protected health information away from the model. Three design patterns do most of that: de-identify before the model, keep PHI local, and log what the model saw.

Using AI for semi-manual SOC 2 evidence collection

Using AI for semi-manual SOC 2 evidence collection

Fully automated SOC 2 evidence collection sounds great until you try it. Half the items need human judgment. Here is how a three-phase guided workflow at Tallyfy collected 99 evidence items across 4 sessions in 4 days, with AI handling orchestration and a human handling the judgment calls.

Claude Code SOC 2 compliance - what your auditor needs to know

Claude Code SOC 2 compliance - what your auditor needs to know

Your auditor does not care about Anthropic marketing promises or vendor certifications alone. They need evidence of YOUR controls around Claude Code, data handling documentation, and audit trails that prove your AI coding tool is not creating compliance gaps in your SOC 2 framework. IBM found 97% of AI-breached organizations lacked proper access controls.

The built-in agent types in Claude Code

The built-in agent types in Claude Code

Claude Code ships with five built-in agent types: Explore, Plan, general-purpose, statusline-setup, and claude-code-guide. Most people know two of them. The other three run constantly and shape how much your sessions cost. This is the full catalog, what each one is for, and why knowing them changes how you read your own terminal.

AI advisory services via Blue Sheen.
Contact me Follow 10k+