Many third party tools exist for Continuous Integration and Continuous Development (CI/CD). While an organization may maintain a BAA with their public cloud provider; many of these third party tools do not offer, nor will they engage in a BAA with customers.
Is a BAA required for the use of these tools, specifically when these tools are handling the compiling, build pipelines for code sources and virtualization container sources where the aforementioned sources directly transport, manipulate, analyze and deliver PHI data?
Are the above mentioned sources required to be within the public cloud provider infrastructure where the BAA shall encompass the systems that provide CI/CD services?
Note that the PHI source code and containers that transport, manipulate, analyze and deliver patient data are under BAA with both the customer, the organization/business and the public cloud provider.