Contact Us
Blog May 23, 2013

How Should You Structure Your HIPAA BAA?

HIPAA Compliance guidelines apply to a wide variety of aspects of your business starting with employee training, security at your office, and going all the way to physical/virtual security of your data center. With multiple vendors typically involved in handling and managing sensitive electronic medical records (EMR) it is important to ensure vendor responsibilities are clearly spelled out.

What Part of HIPAA Affects You?

You need to have a good understanding of what part of HIPAA affects you. Your liability with any kind of HIPAA environment depends on how much you touch that data. If you are a covered entity (owner of protected health information, such as a doctor or healthcare provider), there are people within your supply chain that are also effected by HIPAA. As they touch the data less and less, they are still covered by HIPAA, but their liability decreases. First thing you need to do is figure out whether you are a business associate (BA) or a covered entity. In some cases you can also be a sub-contractor to a business associate.

Here is a good sample scenario-

You have a healthcare practice that retains patient data. This is the covered entity. It uses a 3rd party billing system – that is a business associate. Data from the billing system may be hosted by a cloud hosting provider, who is the sub-contractor. In this case there would be 2 Business Associate Agreements (BAAs) required, one between the covered entity and the business associate and another between the business associate and the sub-contractor. Here is an infographic from a previous post that that explains this. There are also instances when the medical office may work directly with a hosting provider requiring a slightly different BAA signed between these 2 organizations. Important note- although the data is encrypted and the hosting provider does not have direct access to the data it still MUST sign a BAA.

The BAA basically manages the chain of custody. It clearly defines what the roles and responsibilities are of each party involved in the process.

Some key responsibilities of the hosting provider include but not limited to-

–          Updating the servers
–          Making sure there is a firewall in place
–          Ensuring ports are not open
–          Making sure the data is encrypted

I hope you find this brief overview helpful as you work to ensure your HIPAA Compliance. I have been working with clients on HIPAA for close to 10 years and would love to hear your thoughts on the new regulations and answer any questions you may have. Feel free to email me at or post a comment below.

– David P

Related Resources

What is Hybrid Cloud and Why Would I Need One?
The Importance of Hybrid Cloud in 2022 If you search for “hybrid cloud” or “hybrid cloud strategy” you’ll find many different approaches to the same…
What IT Modernization Really Means for IBM Power Systems Users
In some organizations, “IT modernization” is a touchy subject. Managed poorly, IT modernization can become an expensive, risky, and sticky mess. On the other hand,…
Connectria 2021 Year in Review
It’s hard to believe that 2021 has already come and gone. Hybrid Cloud demand has really blossomed over the last year. More and more organizations…