Hi, good question! Instead of going through them all, I’ll start with a framework you can use to get to the correct answer most of the time.
If a vendor processes PHI on your behalf, you will need a BAA with them. In other word, you need a BAA with any vendor that is going to create, receive, maintain, or transmit identifiable health data for you.
We explain this in more detail in this resource: What is a HIPAA BAA?
With hosting/compute environments (Aptible Enclave app layer, AWS EC2) and data storage (Enclave database layer, AWS RDS, S3), it’s pretty easy to tell that a BAA is required for use with PHI.
For dev tools that interact with code, and not prod data (text editors, linters/static analysis, etc.) a BAA is usually not required because there is no PHI being processed by a third party.
In cases where a third party might receive data (CI, source code version control, analytics, logging, error reporting, etc.) you have to be aware of what data the vendor is processing, both for normal use and in edge cases (e.g. a stack trace).
Finally, the same analysis applies to productivity tools (Gmail, Zendesk, etc.)