HIPAA BAA scope — applies to dental + US healthcare verticals only
Decision
HIPAA Business Associate Agreements (BAAs) are required only for dental and future US healthcare-covered verticals. They are not required for church, FuneralWiseAI, VetWiseAI, restaurant, law, or real estate verticals.
Tracked under FOUNDER_ACTIONS FA-108.
What HIPAA BAA prerequisites entail
If/when ChurchWiseAI begins serving US dental or other healthcare-covered-entity customers, the following vendor BAAs must be in place before the first customer conversation:
| Vendor | Current plan | BAA plan | Delta |
|---|---|---|---|
| Supabase | Pro (~$25/mo) | Team (~$599/mo) | ~$574/mo |
| Resend | Scale | Enterprise (custom) | TBD |
| Telnyx | Pay-as-you-go | BAA tier (custom) | TBD |
BAA inquiry email drafts saved at knowledge/drafts/baa-emails/{resend,telnyx,supabase}-2026-05-12.md.
Why most verticals do NOT trigger HIPAA
HIPAA covers Protected Health Information (PHI) handled by covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates.
| Vertical | Is a covered entity? | Handles PHI? | HIPAA BAA needed? |
|---|---|---|---|
| Church (ChurchWiseAI) | No — pastors are not healthcare providers | No — pastoral care conversations are not medical records | No |
| FuneralWiseAI | No — funeral homes are not healthcare providers (even if they see death certificates) | No — bereavement conversations are not PHI | No |
| VetWiseAI | No — veterinary medicine is animal medicine; HIPAA is human-only | No | No |
| Restaurant, Law, Real Estate | No | No | No |
| Dental (future) | Yes — dental practices are covered entities | Yes — patient scheduling, treatment conversations | Yes |
| General US medical (future) | Yes | Yes | Yes |
Why this matters for future agents
Without this decision on record, a future agent encountering a "multi-vertical SaaS serving healthcare AND non-healthcare customers" scenario might incorrectly pattern-match:
"Multi-vertical = some customers are in healthcare = HIPAA applies to all verticals = upgrade Supabase to Team ($599/mo) immediately."
This is wrong. HIPAA scope is determined per-customer-vertical, not per-platform. The $574/mo Supabase Team delta is gated on the FIRST dental or US healthcare customer, not on the first FuneralWiseAI or VetWiseAI customer.
What to do when the trigger fires
When ChurchWiseAI receives its first dental customer inquiry:
- Founder reviews FA-108 in FOUNDER_ACTIONS.md
- Contact Resend, Telnyx, and Supabase for BAA agreements (drafts at
knowledge/drafts/baa-emails/) - Upgrade Supabase to Team plan (~$599/mo)
- Confirm BAA signed with all three vendors before provisioning the customer
- Update this decision record with the actual upgrade date and costs
Data in memory / FOUNDER_ACTIONS
This decision is also captured in:
FOUNDER_ACTIONS.mdFA-108C:/Users/johnm/.claude/projects/C--dev/memory/project_hipaa_baa_scope.md