Phyllis R. Bosley

In practice, a lot of teams end up choosing between two approaches:

Either you go with an enterprise-grade iPaaS (like Tray or similar platforms) where you can get proper security controls, audit logs, and BAAs in place — but you pay for it in complexity and cost.

Or you avoid embedding a third-party iPaaS for sensitive data entirely and instead build a thin internal integration layer (API gateway + webhook processing + a few managed connectors). It’s more engineering work upfront, but it gives you full control over compliance boundaries.

Tools like Zapier and Make are great for prototyping and non-sensitive workflows, but once you introduce HIPAA requirements, they usually fall out of scope unless you heavily isolate what data is flowing through them.