Which regulatory agencies enforce this type of clause?

{'agency': 'HHS_OCR', 'reason': 'HHS Office for Civil Rights enforces HIPAA and HITECH compliance, including the requirement that covered entities and business associates execute BAAs before sharing PHI with technology vendors.', 'complaint_url': 'https://www.hhs.gov/ocr/complaints/index.html'}

What is the severity of this clause?

ConductAtlas classifies this HIPAA Exclusion — No Default BAA clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

HIPAA Exclusion — No Default BAA — Weights & Biases

Share 𝕏 Share in Share 🔒 PDF

What it is

W&B's platform is not set up by default to handle medical or health data, and you cannot use it with that type of data unless you separately negotiate and sign a HIPAA Business Associate Agreement with W&B.

Consumer impact (what this means for users)

If you work in healthcare or handle patient data and use W&B without a signed BAA, you — not W&B — bear full HIPAA compliance risk, including potential civil and criminal penalties for unauthorized disclosure of Protected Health Information.

Cross-platform context

See how other platforms handle HIPAA Exclusion — No Default BAA and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Healthcare organizations or researchers who upload patient data or Protected Health Information to W&B without a BAA are in violation of HIPAA and face potential federal penalties of up to $1.9 million per violation category per year.

View original clause language

The Services are not designed for use with Protected Health Information (as defined under HIPAA) and W&B does not offer a Business Associate Agreement as a standard part of this Agreement. Customer agrees not to submit any Protected Health Information to the Services unless Customer has entered into a separate Business Associate Agreement with W&B.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: HIPAA Privacy Rule (45 CFR §164.502) and Security Rule (45 CFR §164.312) require covered entities to execute a Business Associate Agreement with any vendor handling Protected Health Information (PHI). Failure to obtain a BAA before uploading PHI to a third-party platform is a per se HIPAA violation enforceable by HHS Office for Civil Rights (OCR). The HITECH Act (42 U.S.C. §17931) extends liability to business associates and imposes breach notification requirements. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

Hhs Ocr

HHS Office for Civil Rights enforces HIPAA and HITECH compliance, including the requirement that covered entities and business associates execute BAAs before sharing PHI with technology vendors.
File a complaint →

Provision details

Document information

Document

Weights & Biases Terms of Service

Entity

Weights & Biases

Document last updated

April 29, 2026

Tracking information

First tracked

April 30, 2026

Last verified

April 30, 2026

Record ID

CA-P-004034

Document ID

CA-D-00495

Evidence Provenance

Source URL

https://wandb.ai/site/terms

Wayback Machine

View archived versions →

SHA-256

2a175e81ea61f67ad5c58458c22e75b1ff503a5d9f6ed9a25e5989143acadc5a

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Weights & Biases | Document: Weights & Biases Terms of Service | Record: CA-P-004034
Captured: 2026-04-30 05:30:10 UTC | SHA-256: 2a175e81ea61f67a…
URL: https://conductatlas.com/platform/weights-biases/weights-biases-terms-of-service/hipaa-exclusion-no-default-baa/
Accessed: May 2, 2026

Classification

Severity

High

HIPAA Exclusion — No Default BAA