By JACOB REIDER & JODI DANIEL<\/p>\n
Jacob:<\/strong> I recently needed to sign a Business Associate Agreement (BAA) with one of the large hosting providers for a new health IT project. What should have been straightforward turned into a multi-week educational exercise about basic HIPAA compliance. And when I say \u201cbasic,\u201d I mean really basic, like the definitions in the statute itself.<\/p>\n Here\u2019s what happened and why you need to watch out for this if you\u2019re building health care technology.<\/p>\n I\u2019m building a system that automates clinical data extraction for research studies. Like any responsible health care tech company, I need HIPAA-compliant infrastructure. The company (I\u2019ll call them Hosting Company or HC) is good technically, and they\u2019re hosting our development environment, so I signed up for their enhanced support plan (which they require before they\u2019ll even consider a BAA) and requested their standard agreement.<\/p>\n The Problem<\/em><\/p>\n HC\u2019s BAA assumes every customer is a \u201cCovered Entity.\u201d That means a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically.<\/p>\n But that\u2019s not me. I\u2019m not a Covered Entity. I\u2019m a Business Associate (BA). I handle protected health information on behalf of Covered Entities. When I need cloud infrastructure, I need my vendors to sign subcontractor BAAs with me.<\/p>\n The Back and Forth<\/em><\/p>\n When I told HC that I couldn\u2019t sign their BAA as written, they escalated to their legal department. Days later, a team lead came back with this response:<\/p>\n \u201cTo HC, even if you are a subcontracted or a down the line subcontracted association. It would still be an agreement between the covered entity within the agreement and HC\u2026 So even being a business associate, it would still be considered a covered entity since it is your business that is being covered.\u201d<\/p>\n I had to read it twice. This is simply wrong.<\/p>\n Jodi:<\/strong> Let me chime in here with the legal perspective, because this confusion is more common than it should be.<\/p>\n The terms \u201cCovered Entity\u201d and \u201cBusiness Associate\u201d aren\u2019t interchangeable marketing terms. They have specific legal definitions in 45 CFR \u00a7 160.103. You can\u2019t just redefine them because it\u2019s administratively convenient. Generally\u2026 covered entities are (most) health care providers, health plans, and health care clearinghouses; business associates are those entities that have access to protected health information to perform services on behalf of covered entities; and subcontractors are persons to whom a business associate delegates a function, activity, or service.<\/p>\n Here\u2019s what the regulations actually say:<\/p>\n <\/span><\/p>\n Covered entities are required to have BAAs with the entities that use protected health information to provide services on their behalf (i.e., their business associates or BAs) under 45 CFR \u00a7 164.502(e).\u00a0 Under 45 CFR \u00a7 164.502(e)(1)(ii) and \u00a7 164.308(b)(2), BAs are not just permitted but required<\/em> to execute subcontractor BAAs with other vendors that create, receive, maintain, or transmit PHI on their behalf.<\/p>\n When that happens, the subcontractor also<\/em> becomes a BA (sometimes called a \u201cBusiness Associate of a Business Associate\u201d or a \u201cSubcontractor\u201d). The HIPAA obligations cascade down the chain. Covered entities are not<\/em> required to have BAAs with Subcontractors. 45 CFR \u00a7 164.502(e)(1)(i).<\/p>\n That\u2019s exactly what\u2019s happening in Jacob\u2019s situation:<\/p>\n The Covered Entities (the health care providers in the research study) have BAAs with Jacob\u2019s company (making him a BA).<\/p>\n Jacob\u2019s company, in turn, must have BAAs with any Subcontractors like HC that may handle PHI on behalf of Jacob\u2019s company.<\/p>\n HC becomes a BA through this subcontractor relationship.<\/p>\n The distinction matters for compliance and audit purposes. OCR, SOC 2 auditors, and HITRUST assessors all expect the contractual chain<\/em> to mirror the actual data flow. Getting the terminology wrong isn\u2019t just semantically annoying\u2014it is misrepresenting the regulations and the relationship between the parties in a legal document.<\/p>\n Jacob:<\/strong> Yup\u2026 and here\u2019s the practical problem: I could not legally sign a document stating that my company is a Covered Entity when it\u2019s not.<\/p>\n I explained this to HC, cited the specific CFR sections Jodi just mentioned, and even sent them examples from Google Cloud\u2019s BAA, which handles both Covered Entities and BAs in the same document.<\/p>\n HC\u2019s team said they\u2019d request the language change, and I\u2019m pleased to convey that (after nearly three weeks of back-and-forth) we have executed a proper BAA.<\/p>\n What This Means for You<\/em><\/p>\n Jodi:<\/strong> You\u2019re right, Jacob. It\u2019s not appropriate to sign a document that says you are a covered entity when you\u2019re not one. If you\u2019re building health care technology, here\u2019s what you need to know:<\/p>\n Understand your role in the HIPAA framework.<\/em> Are you a Covered Entity or a BA? Most tech companies are BAs. If you\u2019re providing services to health care providers, health plans, or clearinghouses and you handle PHI in the process, you\u2019re almost certainly a BA (or a subcontractor BA), not a CE.\u00a0<\/p>\n Read the BAA carefully before signing.<\/em> The terminology matters. If a vendor\u2019s BAA only contemplates Covered Entities as customers, that\u2019s a red flag that they haven\u2019t thought through the subcontractor scenario. (And the detailed requirements of the BAA matter too, but that is a topic for another blog).<\/p>\n Don\u2019t be afraid to push back.<\/em> If a vendor insists you sign something that mischaracterizes your role, ask them to revise the language or show you to an attorney who understands HIPAA.<\/p>\n Jacob:<\/strong> And so \u2026\u00a0<\/p>\n Be prepared to educate.<\/em> Many cloud providers\u2019 legal teams (and their attorneys) don\u2019t fully understand HIPAA\u2019s cascade requirements. You may need to walk them through it. Point them to examples from AWS, Google Cloud, or Microsoft Azure, all of which have dealt with this thousands of times.<\/p>\n Budget time for this process.<\/em> What should take a day can take a week or more if you hit legal confusion. Plan accordingly, especially if you have a launch deadline.<\/p>\n The Bigger Picture<\/strong><\/p>\n Jacob:<\/strong> HC isn\u2019t unique. I\u2019ve seen this same confusion at smaller hosting providers, SaaS companies, and even some larger tech firms. The health care industry\u2019s regulatory complexity means vendors often copy BAA templates without really understanding them.<\/p>\n The irony? HC makes you pay extra for the \u201cprivilege\u201d of signing their BAA. They charge for enhanced support as a prerequisite. Not all cloud providers or other technology platforms charge more.<\/p>\n Jodi:<\/strong> From a legal perspective, this situation highlights a broader issue in health tech. As more non-health care companies enter the space (cloud providers, AI companies, SaaS platforms), many are encountering HIPAA requirements for the first time. Their legal teams may be excellent at tech transactions or general commercial law but unfamiliar with health care regulatory nuance.<\/p>\n The good news is that this is fixable. The BAA template changes HC made aren\u2019t complex. They just needed to add language that accommodates both scenarios: customers who are Covered Entities and customers who are BAs.<\/p>\n