HIPAA BAAs and HIPAA Cloud Hosting

All HIPAA/HITECH-regulated organizations in the process of selecting a HIPAA-compliant cloud hosting provider should expect their chosen vendor to sign a HIPAA/HITECH Business Associate Agreement (BAA).*

But here’s the rub.

It’s easy to find a cloud hosting provider who says, “Yeah, we’ll sign a BAA.”

However, it’s quite another to find a provider who is a HIPAA BAA expert and can help you understand what your BAA means.  AISN is that expert.

It’s critical for organizations to understand that it’s not enough to say, “Yeah, we’ve got a signed BAA.  We’re good!”

Understand your HIPAA BAA

Your BAA is not just a piece of paper that you read only when a problem arises.  You should understand what you’re signing.

Why?  Under the new rule, your exposure to penalties is increased.  You’re responsible for protecting your PHI and ensuring that any subcontractors you use are also compliant.  If the cloud hosting provider whom you have chosen to access your electronic Protected Health Information (ePHI) fails an audit or commits a data breach, responsibility also falls on you.  (For this reason, it’s smart to get a network vulnerability assessment from an independent auditor who does not maintain the vendor’s network.)

How can AISN help?  Unlike most generalist and commodity hosting providers, AISN is a HIPAA cloud hosting expert.  We provide clients with the assistance they need to understand and comply with HIPAA/HITECH throughout all facets of the engagement process.  Before any ePHI and apps are moved to the cloud, AISN helps you put in place an appropriate and effective BAA – a policy that is highly specific to the data that we protect and the cloud hosting and services that we offer.  Then, our experts will guide you through the process of understanding your own rights and responsibilities, as well as AISN’s, as established under the BAA.

Have some questions about BAAs and HIPAA cloud hosting?  We can help.  Contact us!


* A HIPAA Business Associate Agreement (BAA) is a written contract between a HIPAA-covered entity and a HIPAA business associate (BA).  It defines the responsibilities of each party to safeguard PHI in accordance with HIPAA guidelines.  To learn more, see the U.S. Department of Health and Human Services’ expanded definition: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html


Jay Atkinson is CEO of AIS Network.