02-20-13 | Blog Post

HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules

Blog Posts

Mike KleinDoes your HIPAA hosting provider have a legal BAA (business associate agreement)?

I just got off the phone with our attorneys who are updating our business associate agreement to reflect the changes required in the HHS final HIPAA Privacy and Security Rules.

Section 164.504 of the final ruling has a list of specific clauses that are required to be in every BAA – including cloud and colocation providers that house ePHI (electronic protected health information).

There is no question that hosting and colocation providers are considered business associates by the Dept. of Health & Human Services in the final ruling, and subject to the same audits and penalties by the HHS’s Office for Civil Rights.  The challenge is how you incorporate the new HIPAA final ruling requirements into a BAA with a hosting provider.

Since there is no reason for a hosting provider to access ePHI, we believe every HIPAA compliant hosting and colocation provider should have a very strict set of policies and procedures against accessing any ePHI.  But, providing “designated record sets” and “amending designated record sets” as required by the new HIPAA final ruling requirements into a BAA is impossible if the hosting provider doesn’t access ePHI.

A properly worded BAA with your hosting provider should specifically address this “catch 22” scenario as well as the other requirements in the HHS final ruling – to protect both you and your hosting partner from creating contractual obligations in the business associate agreement that can not be met by either party.

Rest assured, our updated business associate agreement  reflects the final ruling and contractually protects both client and provider with clear responsibilities of each party.

Related Links:
The HIPAA Police Are On Their Way!
One of the lesser known requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health and Human Services (HHS) to conduct periodic audits to ensure that healthcare organizations and their business associates are complying with HIPAA laws … Continue reading →

Final HIPAA Omnibus Rule: Business Associate Agreements & Roadmap to Compliance
In addition to redefining business associates (BAs) and including subcontractors in the scope of liability, the final HIPAA omnibus rule has prompted the release of a new sample business associate agreement by the Dept. of Health and Human Services (HHS). … Continue reading →

No More Excuses: HHS Releases Tough Final HIPAA Privacy and Security Rules
Join us January 31st @2PM ET for a webinar with Brian Balow of the Dickinson Wright law firm to find out how the latest HIPAA modifications affect the healthcare industry and healthcare vendors. Title: No More Excuses: HHS Releases Tough … Continue reading →


HIPAA Compliant Data CentersNeed help achieving compliance? Learn about the specific HIPAA requirements for HIPAA hosting with IT vendors with our HIPAA Compliant Hosting white paper. With 36 pages of statistics, diagrams and researched information sourced from engineers and a CHSS (Certified HIPAA Security Specialist), this white paper is your complete guide to HIPAA hosting.

Still have questions? Contact us or chat now. Learn more about our HIPAA hosting solutions, including cloud, colocation, managed servers and disaster recovery. Or, submit a quote request today.


Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved