Business Associate Agreement

HIPAA support is planned for a future version of Marshal and is not currently available.

Marshal does not currently support HIPAA covered entities or business associates. If you are a HIPAA covered entity or business associate, you may not use the Marshal platform until HIPAA support is formally announced. See Section 3 of the Terms of Service.

Marshal is a workplace investigation platform for HR teams. A Business Associate Agreement (BAA) is required under HIPAA (45 CFR § 164.504(e)) when a covered entity or business associate engages a vendor to create, receive, maintain, or transmit Protected Health Information (PHI) on its behalf.

Marshal's current infrastructure is not yet operating under the full HIPAA-eligible sub-processor chain required to accept PHI — specifically, we do not yet hold a HIPAA BAA with our AI sub-processor. Until that chain is in place, offering a BAA to customers would be misleading.

What this means for healthcare employers: If you are a hospital, health system, health plan, healthcare clearinghouse, or other HIPAA covered entity — or a business associate of one — you may not use the current version of Marshal for investigations that involve PHI. We recognize this excludes a meaningful segment of HR teams, and it is a gap we intend to close.

V2 roadmap:HIPAA support, including a fully negotiable BAA and a HIPAA-eligible sub-processor chain, is planned for a future release. If you'd like to be notified when HIPAA support is available, or want to be involved in shaping the V2 compliance posture, contact us at legal@marshal.to.

Non-healthcare employers — including those in financial services, technology, professional services, retail, and other sectors — are fully supported under the standard Terms of Service and Data Processing Addendum. No BAA is required for non-HIPAA investigations.