Authors: Jacob Redl and Jody Daniel
Jacob: Recently, I needed to sign a Business Associate Agreement (BAA) with a large hosting provider for a new health IT project. What was supposed to be a simple matter turned into a weeks-long educational exercise on basic HIPAA compliance. When I say “basic,” I mean very basic, as is the definition of the statute itself.
Here's what happens, and why you need to pay attention to it if you're building healthcare technology.
I'm building a system that automatically extracts clinical data for research. Like any responsible healthcare technology company, I need HIPAA compliant infrastructure. The company (I'll call it the hosting company or HC) was technically good and they were hosting our development environment, so I signed up for their Enhanced Support Plan (which they require before considering a BAA) and requested their Standard Agreement.
question
HC's BAA assumes that each customer is a “covered entity.” This means a health plan, health care information clearinghouse, or health care provider that transmits health information electronically.
But that's not me. I am not a covered entity. I am a Business Associate (BA). I process protected health information on behalf of a covered entity. When I need cloud infrastructure, I need my vendors to sign a subcontractor BAA with me.
back and forth
When I told HC that I could not sign their BAA as written, they escalated the issue to the legal department. A few days later, the team leader responded as follows:
“With HC, even if you are a subcontracting association or a downline subcontracting association. It is still an agreement between the covered entity in the agreement and the HC…so even if it is a business associate, it will still be considered a covered entity because it is your business that is covered.”
I had to read it twice. This is completely wrong.
Jody: Let me chime in from a legal perspective because this confusion is more common than it should be.
The terms “covered entity” and “business associate” are not interchangeable marketing terms. They have specific legal definitions in 45 CFR § 160.103. You can't redefine them just because it's administratively convenient. Generally speaking… Covered entities are (most) health care providers, health plans, and health care information clearinghouses; Business associates are those entities that have access to protected health information to provide services on behalf of the covered entity; Subcontractors are persons to whom the business associate delegates functions, activities, or services.
Here's what the regulations actually say:
Under 45 CFR § 164.502(e), covered entities must enter into a BAA with entities that use protected health information to provide services on their behalf (i.e., their business associates or BAs). Under 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), BA is not only permitted, but required Perform subcontractor BAA with other vendors on whose behalf PHI is created, received, maintained or transmitted.
When this happens, the subcontractor return Become a BA (sometimes called a “business associate of a business associate” or a “subcontractor”). HIPAA obligations are passed down the chain. Covered entities are no A BAA needs to be signed with the subcontractor. 45 CFR § 164.502(e)(1)(i).
This is exactly what happened in Jacob's case:
- The covered entity (the health care provider under study) has a BAA with Jacob's company (making him a BA).
- In turn, Jacob's Company must enter into a BAA with any subcontractor, such as HC, that may process PHI on Jacob's Company's behalf.
- HC becomes BA through this subcontractor relationship.
This distinction is important for compliance and auditing purposes. OCR, SOC 2 auditors, and HITRUST assessors all expect contract chain to reflect the actual data flow. Terminology errors are not only semantically annoying, but they also misrepresent the statute and the relationship between the parties in the legal document.
Jacob: Yes…here's a real problem: I can't legally sign a document stating that my company is a covered entity when it isn't.
I explained this to HC, cited the specific CFR section that Jodi just mentioned, and even sent them an example of a BAA from Google Cloud that handles covered entities and BAs in the same document.
The HC team indicated they would request a change in language, and I'm happy to report that (after nearly three weeks of back-and-forth discussions) we have implemented the appropriate BAA.
what does this mean to you
Jody: You're right, Jacob. It is not appropriate to sign a document stating that you are a covered entity when you are not a covered entity. If you're building healthcare technology, here's what you need to know:
- Understand your role in the HIPAA framework. Are you a covered entity or a BA? Most tech companies have bachelor's degrees. If you provide services to a healthcare provider, health plan, or clearinghouse, and handle PHI in the process, you are almost certainly a BA (or subcontractor BA), not a CE.
- Please read the BAA carefully before signing. Terminology is important. If a supplier's BAA only treats covered entities as customers, then that's a red flag that they haven't considered the subcontractor scenario. (The detailed requirements of the BAA are also important, but that’s a topic for another blog).
- Don't be afraid to fight back. If a vendor insists that you sign something that misrepresents your role, ask them to change the language or refer you to an attorney who understands HIPAA.
Jacob: so…
- Be prepared for education. Many cloud providers' legal teams (and their attorneys) don't fully understand HIPAA's cascading requirements. You may need to guide them through the process. Show them examples from AWS, Google Cloud, or Microsoft Azure, all of which have dealt with this problem thousands of times.
- Budget time for this process. If you have a legal mess, what should be done in a day may take a week or more. Plan accordingly, especially if you have a publishing deadline.
The bigger picture
Jacob: HC is not unique. I've seen this same confusion among small hosting providers, SaaS companies, and even some large tech companies. The regulatory complexities of the healthcare industry mean that providers often copy BAA templates without real understanding.
The irony? HC makes you pay extra for the “privilege” of signing a BAA. They presuppose increased support. Not all cloud providers or other technology platforms charge higher fees.
Jody: From a legal perspective, the situation highlights broader issues in the medical technology sector. As more and more non-healthcare companies enter the space (cloud providers, AI companies, SaaS platforms), many are encountering HIPAA requirements for the first time. Their legal teams may be skilled in technology transactions or general business law, but not familiar with the nuances of healthcare regulation.
The good news is this is fixable. The BAA template changes made by HC are not complex. They just need to add language that accommodates two scenarios: the covered entity's customers and the BA's customers.
Google Cloud's BAA does this neatly with one sentence: “This BAA applies to Customer as a Covered Entity or Business Associate.” That's it. Problem solved.
Of course…it makes sense to have an advisor who understands HIPAA review the BAA before you sign it because there are many other issues that may affect your business and the use of PHI.
Jacob: Bottom line: If you find yourself in a similar situation, cite the specific CFR sections (45 CFR § 160.103, § 164.502(e)(1)(ii), and § 164.308(b)(2)), show them working examples from the major cloud providers, and be prepared to walk away if they don't fix the problem.
Jacob Reed, MD is CEO of Huddle Health Solutions, Chief Health Officer of WavelyDx, Former Deputy National Coordinator for Health Information Technology, Office of the National Coordinator. Jodi Daniel is a partner at Wilson Sonsini Goodrich & Rosati and the founding director of the Office of the National Coordinator for Health IT.
