Why Won’t Your Hosting Provider Sign a HIPAA BAA?

More and more healthcare organizations are turning to outside contractors for assistance in managing the enormous amounts of Protected Health Information (PHI) produced by healthcare operations. Concerns about the security and privacy of sensitive patient data are rising as recent hacks and data breaches have reached frightening dimensions.

Strong BAAs should be implemented to guarantee security, privacy, and compliance to combat this threat. Any third-party service provider who has access to PHI must sign a BAA with a covered entity to comply with HIPAA regulations.

What is the HIPAA BAA?

A HIPAA Business Associate Agreement (BAA) is a contract that HIPAA-covered businesses and their business partners or subcontractors enter into and specifies the kinds of PHI given to the business partner and the permissible uses and disclosures of PHI by the business partner.

Only when a third-party service provider needs access to PHI to perform a service for the covered entity is that third-party service provider deemed a HIPAA business partner. Cloud storage companies, email encryption services, web hosting services, billing services, IT contractors, attorneys, and accountants are a few examples of prospective business partners.

It is important to obtain the help of a lawyer, security officer, or HIPAA compliance solution to manage HIPAA BAAs because they are legally binding contracts. If you decide to utilize a HIPAA BAA template, be sure it's appropriate for your business and that you can modify it.

Both covered organizations and business associates will benefit from having a thorough and current BAA since they will be on the same page regarding how they must preserve, transfer, and handle PHI.

Need for a HIPAA Compliant Hosting

That typically consists of a set of guidelines and resources for −

  • Protecting actual servers − All of the information in your hosting account or your website is kept on servers. To prevent actual theft, these must be guarded.

  • Securing stored data − A collection of security mechanisms put in place on your host's servers that guard against viruses, hackers, and other dangers.

  • Data transfer security − The connection must be encrypted end-to-end whenever personal data is transferred somewhere.

  • Data breach notification − If there is a data breach, details about the incident, including its severity, must be recorded.

Why doesn’t the hosting provider want to sign it?

The new HIPAA BAA requirements, which apply to BAAs for suppliers and subcontracts, came into force in January 2013. Some may contend that HIPAA laws do not apply to the vendor or hosting provider if PHI is encrypted by the client and only stored by the vendor. In actuality, there is no assurance that the client has correctly encrypted any PHI data before sending it to a hosting service. Complaints mostly prompted compliance audits before the new Omnibus rule's implementation.

The government is currently attempting to be more proactive and audit specific firms, including those who work with suppliers who handle or store PHI. Previously vague rules now have definitions and penalties for violation, such as fines that may range from $50,000 to $1.5 million.

There are still a lot of cloud companies that see themselves more as conduits for PHI (PHI). They consider their job to be more equivalent to a mailman's. They don't have access to the data; they are only delivering it to other people. The cloud service provider will claim that HIPAA standards do not apply to them and may decline to sign a BAA if the data is encrypted and impossible to decipher or if they never come into contact with the real PHI data.


The protection of patients is a noble objective as well. Thus it's important to identify your enemies and take action to stop them. Anyone working in the healthcare sector should steer clear of cloud providers who are unwilling to sign a BAA. They are effectively refusing to be compliant since the new HIPAA Omnibus Rule specifically defines a business associate as anyone who produces, receives, maintains, or transmits PHI on behalf of a covered firm. By refusing to share the burden of ensuring HIPAA compliance, they pose a risk to your business that you just cannot afford.