Is Basecamp HIPAA Compliant? BAA, PHI Handling, and Security Explained

This guide clarifies whether Basecamp can be used with healthcare data under HIPAA, what its Business Associate Agreement stance means for your workflows, and how its security architecture protects routine project data. You’ll also find quick answers to common compliance and security questions.

Basecamp's HIPAA Compliance

Short answer: Basecamp is not a HIPAA-compliant platform for handling Protected Health Information (PHI). The service does not provide the contractual assurances HIPAA requires for vendors that create, receive, maintain, or transmit PHI on your behalf. Without those assurances, you cannot rely on Basecamp to meet HIPAA obligations for PHI. ([paubox.com](https://www.paubox.com/blog/is-basecamp-hipaa-compliant))

HIPAA’s Security Rule expects covered entities and business associates to implement administrative, physical, and technical safeguards appropriate to risk—including vendor contracts when PHI flows to a third party. Since Basecamp does not offer the needed agreement for PHI scenarios (see below), it should be reserved for non‑PHI collaboration. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/index.html?utm_source=openai))

Business Associate Agreement Availability

Basecamp does not offer a Business Associate Agreement (BAA) at any plan tier. Because HIPAA requires a BAA before a cloud service may create, receive, maintain, or transmit electronic PHI for you, the absence of a BAA rules Basecamp out for PHI use cases. ([paubox.com](https://www.paubox.com/blog/is-basecamp-hipaa-compliant))

Practically, this means you should not attempt “enterprise negotiation” for a private BAA or assume compliance by virtue of strong security alone. Under HIPAA, security controls and a signed BAA go hand in hand when PHI is involved. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/business-associates/index.html?utm_source=openai))

PHI Data Handling Limitations

Do not upload, discuss, or reference individually identifiable health information in Basecamp messages, to‑dos, docs, files, or chat. If a third party will handle PHI for you, HIPAA requires a BAA—without it, the platform is out of scope for PHI regardless of technical safeguards. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/business-associates/index.html?utm_source=openai))

You may use Basecamp for non‑PHI work such as general project coordination, process tracking, and content drafts that contain no identifiers. When in doubt, keep PHI in systems that provide both HIPAA‑aligned controls and a signed BAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/index.html?utm_source=openai))

Security Measures

Data access controls and operational safeguards

37signals (the company behind Basecamp) restricts server access via VPN with multi‑factor authentication, logs access, and centrally secures employee devices. For newer apps—including Basecamp 5—employee data access is audited bi‑weekly using internal tooling (console1984/audits1984). These data access controls reduce exposure risk during support and operations. ([basecamp.com](https://basecamp.com/about/policies/security/37signals-security-overview.pdf))

Encryption at rest, in transit, and “at-work”

Files you upload are encrypted at rest (AES‑256). Application databases are not encrypted at rest; they are “active” in the databases with layered protections. Basecamp 5 adds application‑level “at‑work” encryption so content fields are encrypted during normal operation, limiting what staff can see while still enabling maintenance. ([basecamp.com](https://basecamp.com/about/policies/security/37signals-security-overview.pdf))

Monitoring, testing, and incident response

Basecamp runs a bug‑bounty program, coordinates third‑party reviews/penetration tests for Basecamp 5, and operates dedicated security and operations teams for logging, firewalls, anomaly detection, and incident handling. ([basecamp.com](https://basecamp.com/about/policies/security/37signals-security-overview.pdf))

Backups, deletion, and redundancy systems

Data is written to multiple disks, backed up routinely, and stored in multiple locations; backups are encrypted and retained for limited periods before deletion. The production footprint spans two redundant U.S. data centers with automatic failover and 24/7 global operations coverage. ([basecamp.com](https://basecamp.com/about/policies/security/37signals-security-overview.pdf))

Compliance Certifications

37signals states it has not completed a SOC audit for itself; it can provide SOC reports for the data centers it uses under NDA. For payments, it submits PCI SAQ A 4.0.1 annually. Basecamp does not claim HIPAA certification (there is no official HIPAA certification program), and it does not offer a BAA. ([basecamp.com](https://basecamp.com/about/policies/security/37signals-security-overview.pdf))

Data Transmission Encryption

All data transmitted between you and Basecamp is encrypted with HTTPS/TLS. Current documentation notes strong encryption over public networks, with modern cipher suites and forward‑secrecy key exchange. This protects in‑transit confidentiality and integrity but is distinct from data encryption at rest. ([basecamp.com](https://basecamp.com/about/policies/security/37signals-security-overview.pdf))

Physical Security Practices

Basecamp’s servers reside in hardened data centers with biometric access controls, 24/7 interior and exterior surveillance, and onsite staffing. Only authorized personnel may enter. Combined with redundant facilities and automatic failover, these physical safeguards support service continuity. ([basecamp.com](https://basecamp.com/about/policies/security/37signals-security-overview.pdf))

FAQs.

Does Basecamp offer a Business Associate Agreement?

No. Basecamp does not offer a BAA at any plan tier. Without a BAA, vendors cannot handle your PHI under HIPAA. ([paubox.com](https://www.paubox.com/blog/is-basecamp-hipaa-compliant))

Is Basecamp suitable for storing PHI?

No. Because Basecamp does not provide a BAA, it is not suitable for storing, transmitting, or processing PHI. Use a platform that signs a BAA and implements safeguards aligned to the HIPAA Security Rule. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/business-associates/index.html?utm_source=openai))

What security measures does Basecamp implement?

Controls include HTTPS/TLS in transit, AES‑256 encryption for files at rest, app‑level “at‑work” encryption in Basecamp 5, audited employee access, bug bounties and third‑party testing, firewalls and monitoring, encrypted backups, and redundant data centers with automatic failover. ([basecamp.com](https://basecamp.com/about/policies/security/37signals-security-overview.pdf))

Does Basecamp have SOC 2 compliance?

37signals reports that it has not completed a SOC audit for itself; it can share data center SOC reports under NDA. There is no public SOC 2 attestation for the Basecamp service. ([basecamp.com](https://basecamp.com/about/policies/security/37signals-security-overview.pdf))