Can I use MuleSoft and be HIPAA compliant? (2026 update)

MuleSoft is Salesforce’s integration and application programming interface platform, used to connect systems, data, applications, services, and application programming interfaces across business environments. MuleSoft describes Anypoint Platform as a way for healthcare organizations to design, build, secure, monitor, and manage application programming interfaces across systems.

With MuleSoft, healthcare organizations can connect clinical, operational, billing, insurance, and data systems across cloud and on-premises environments.

Is MuleSoft HIPAA compliant? Yes, MuleSoft is HIPAA compliant.

What changed this year?

As of May 2026, Salesforce’s Business Associate Addendum Restrictions page was last updated on March 18, 2026. MuleSoft remains listed under Salesforce’s HIPAA Covered Services, subject to service-specific restrictions and infrastructure limits.

Will MuleSoft sign a business associate agreement (BAA)?

Yes, Salesforce will sign a BAA for MuleSoft, which can be reviewed here. Salesforce states customers seeking to build HIPAA-compliant healthcare applications can contact their account representative about a Business Associate Addendum.

What does the MuleSoft BAA cover?

The MuleSoft BAA covers specific MuleSoft Services when included in a signed Salesforce BAA and used according to Salesforce’s BAA restrictions. Salesforce lists MuleSoft Services as HIPAA Covered Services, including Anypoint Runtime Manager, Anypoint Monitoring, Anypoint MQ, Anypoint Object Store v2, Anypoint Security, and MuleSoft Anypoint Platform, depending on infrastructure.

Their BAA covers:

• Anypoint Runtime Manager
• Anypoint Monitoring
• Anypoint MQ
• Anypoint Object Store v2
• Anypoint Security
• MuleSoft Anypoint Platform on Salesforce Hyperforce infrastructure
• PHI transmission and storage when encryption requirements are met
• Customer use under a signed Salesforce BAA

Salesforce’s terms state, “Customer must enable, maintain, and utilize MuleSoft Services features to implement cryptography and PHI data minimization” when storing, processing, or transmitting PHI.

What does the MuleSoft BAA exclude?

MuleSoft’s BAA coverage is limited. Salesforce says that HIPAA-covered services do not include portions deployed on a customer’s premises. Salesforce also limits several MuleSoft services to specific infrastructure, including Amazon Web Services infrastructure as an SFDC subcontractor or Salesforce Hyperforce infrastructure.

Salesforce also places responsibility on the customer for the design, integration, and administration of all connections, communications, and third-party use of PHI during MuleSoft use.

Conclusion

MuleSoft is HIPAA compliant, but only for covered MuleSoft services under a signed Salesforce BAA and only when the customer follows Salesforce’s service-specific restrictions.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQS

What is a business associate agreement?

A BAA is a legally binding contract establishing a relationship between a covered entity under HIPAA and its business associates. The purpose of this agreement is to ensure the proper protection of PHI as required by HIPAA regulations.

What is HIPAA?

HIPAA sets national standards for protecting the privacy and security of certain health information.

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. The are entities performing certain functions or activities on behalf of the covered entity.