There has been a lot of talk about HIPAA BAAs lately as the new omnibus regulations take effect September 2013. Here is a [simplified] diagram of how medical & healthcare providers need to work with any parties that process or store their protected health information (PHI).
In this scenario you have a medical provider using a billing company who hosts their data with a managed hosting company. There are also instances when the medical provider works directly with the hosting company in which case they have to sign a BAA directly.
Feel free to share this with anyone that is going through this process right now.