HIPAA support and BAAs

Last updated: May 23, 2026

Lightfield is designed to support HIPAA-compliant workflows. We're prepared to execute Business Associate Agreements (BAAs) with healthcare customers on the Pro plan and above.

Who can sign a BAA

BAAs are available to customers on the Pro plan and Enterprise plan. They're not available on the Startup plan.

If you're on Startup and need a BAA to store or process Protected Health Information (PHI) in Lightfield, upgrade to Pro first. Contact support@lightfield.app if you want to discuss the upgrade.

How to request a BAA

  1. Email support@lightfield.app with the subject line "BAA request"

  2. Include your workspace name and the name of the entity that will sign the agreement

  3. Our team will send you our standard BAA for review and signature

Most BAAs are turned around within a few business days. If you have a custom BAA you need us to review instead of using our standard agreement, let us know in your initial email.

Before you store PHI in Lightfield

The BAA needs to be signed before any PHI is created, received, maintained, or transmitted in your workspace. This includes meeting recordings, transcripts, emails, notes, and any custom fields you might use to track patient information.

If you're already a customer and have been using Lightfield without a BAA, talk to us before you start handling PHI. We'll walk through what your workflow looks like and confirm which parts of the platform are covered.

Reach out early. Healthcare workflows vary widely - some customers use Lightfield only for non-PHI workflows (sales, partnerships, vendor management) and some plan to record patient-adjacent calls. The right setup depends on your use case, so we'd rather have the conversation before you start than retrofit after.

What else is in place

Beyond the BAA, the same controls that support our SOC 2 Type 2 certification apply to HIPAA workflows:

  • Encryption at rest and in transit (TLS)

  • Role-based access with least-privilege principles

  • Each customer in a walled, isolated Lightfield instance - data is not co-mingled across workspaces

  • No training agreements with AI model providers - your data is not used to train any AI models

  • MFA required across all in-scope systems

  • Access revoked within 1 business day of employee termination

  • BAAs in place with our own subprocessors that may handle PHI

See SOC 2 and Security Overview for the full picture.

Common questions

Is Lightfield "HIPAA compliant"?

HIPAA is a framework, not a certification - no software vendor is "HIPAA certified" by a government body. What matters is that the vendor (1) supports HIPAA-compliant workflows through its technical controls, and (2) is willing to sign a BAA. Lightfield does both.

Are subcontractors covered?

Yes. We maintain BAAs with our own subprocessors that may handle PHI as part of providing the service.