HIPAA Compliance and Business Associate Agreement Availability

What it is

Windsurf states its platform is HIPAA compliant and will provide a Business Associate Agreement for larger healthcare implementations, but notes that most code submitted to the platform is not considered protected health information.

Why it matters (compliance & governance perspective)

Healthcare organizations using Windsurf should be aware that a BAA is described as available for 'significant implementations' rather than as a standard offering, meaning smaller healthcare customers may need to specifically request and negotiate one.

Consumer impact (what this means for users)

This provision states that Windsurf maintains HIPAA compliance and will provide a BAA for significant healthcare implementations. Healthcare organizations should assess whether their use of Windsurf constitutes a significant implementation requiring a BAA and should proactively request one rather than assuming it is automatically in place.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision directly implicates HIPAA and its implementing regulations, including the Privacy Rule and Security Rule. HHS OCR is the primary enforcement authority. The document's statement that the platform is 'maintained as HIPAA compliant' is an assertion rather than a certification; covered entities and their legal teams should verify the scope and currency of this compliance posture. The availability of a BAA is a material HIPAA requirement where Windsurf functions as a business associate. (2) GOVERNANCE EXPOSURE: Medium. The document does not specify what constitutes a 'significant implementation' that would trigger BAA availability, nor does it indicate whether smaller healthcare customers can obtain a BAA on request. This ambiguity creates a potential gap for healthcare organizations that may require a BAA under HIPAA but do not meet an undefined significance threshold. (3) JURISDICTION FLAGS: All US-based covered entities and business associates under HIPAA face exposure if a BAA is not in place and Windsurf processes or has access to PHI. The document's assertion that code generally does not carry PHI may not hold in all implementation scenarios, particularly where developers work on healthcare applications that include PHI in code comments, variable names, or test data. (4) CONTRACT AND VENDOR IMPLICATIONS: Healthcare organizations should request a BAA before deployment and confirm that its scope covers all relevant use cases. Procurement teams should not rely on the document's general assertion that code does not carry PHI as a substitute for a PHI risk assessment specific to their implementation. The document does not specify the timeline or process for obtaining a BAA, which should be established during vendor onboarding. (5) COMPLIANCE CONSIDERATIONS: Legal and compliance teams at healthcare organizations should conduct a PHI risk assessment for their specific Windsurf use case, including whether any code, comments, or test data processed through the platform could contain PHI. Where a BAA is required, organizations should initiate that process before production use of the platform. HHS OCR guidance on business associate relationships should be reviewed in conjunction with this provision.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Individual User Zero-Data Retention Opt-In medium
• AI Model Use Independent of User Selection medium
• Bing API Lacks Zero-Data Retention Agreement medium
• Internal Tool Access to Code Logs Without Zero-Data Retention medium
• Code Ownership and Attribution Filtering medium
• Subprocessor Disclosure and Data Exposure Scope medium