HIPPA – The Health Care Blog

When Your Cloud Provider Doesn’t Understand HIPAA: A Cautionary Tale

Nov 13, 2025

By JACOB REIDER & JODI DANIEL

Jacob: I recently needed to sign a Business Associate Agreement (BAA) with one of the large hosting providers for a new health IT project. What should have been straightforward turned into a multi-week educational exercise about basic HIPAA compliance. And when I say “basic,” I mean really basic, like the definitions in the statute itself.

Here’s what happened and why you need to watch out for this if you’re building health care technology.

I’m building a system that automates clinical data extraction for research studies. Like any responsible health care tech company, I need HIPAA-compliant infrastructure. The company (I’ll call them Hosting Company or HC) is good technically, and they’re hosting our development environment, so I signed up for their enhanced support plan (which they require before they’ll even consider a BAA) and requested their standard agreement.

The Problem

HC’s BAA assumes every customer is a “Covered Entity.” That means a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically.

But that’s not me. I’m not a Covered Entity. I’m a Business Associate (BA). I handle protected health information on behalf of Covered Entities. When I need cloud infrastructure, I need my vendors to sign subcontractor BAAs with me.

The Back and Forth

When I told HC that I couldn’t sign their BAA as written, they escalated to their legal department. Days later, a team lead came back with this response:

“To HC, even if you are a subcontracted or a down the line subcontracted association. It would still be an agreement between the covered entity within the agreement and HC… So even being a business associate, it would still be considered a covered entity since it is your business that is being covered.”

I had to read it twice. This is simply wrong.

Jodi: Let me chime in here with the legal perspective, because this confusion is more common than it should be.

The terms “Covered Entity” and “Business Associate” aren’t interchangeable marketing terms. They have specific legal definitions in 45 CFR § 160.103. You can’t just redefine them because it’s administratively convenient. Generally… covered entities are (most) health care providers, health plans, and health care clearinghouses; business associates are those entities that have access to protected health information to perform services on behalf of covered entities; and subcontractors are persons to whom a business associate delegates a function, activity, or service.

Here’s what the regulations actually say:

Defanging HIPAA: How Your De-identified Data Was Re-identified For Profit.

May 26, 2022

BY MIKE MAGEE, M.D.

Arthur Sackler continues to demonstrate just how wealthy one can become by advantaging patients and their diseases.

He’s been dead since 1987, but his ghost continues to access your personal health data, pushes medical consumption and over-utilization, and expands profits exponentially for data abusers well beyond his wildest dreams. Back in 1954, he and his friend and secret business partner, Bill Frohlich, were the first to realize that individual health data could be a goldmine. That relationship would still be a secret had it not been exposed in a messy family inheritance feud unleashed by his third wife after Sackler’s death.

That company, IMS Health, was taken public and listed on the NYSE on April 4, 2014, transferring $1.3 billion in stock. I’ll come back to that in a moment. But in the early years, the pair realized that the data they were collecting would multiply in value if it could be correlated with a second data set. That dataset was the AMA’s Physician Masterfile which tracked the identity and location of all physicians in America from the time they entered medical school.

HIPAA’s Broken Promises

Sep 27, 2009• 19

By SUSANNAH FOX

If you hate HIPAA, it’s your lucky day. Paul Ohm is handing you ammunition in his article, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.” His argument: our current information privacy structure is a house built on sand.

“Computer scientists…have demonstrated they can often ‘reidentify’ or ‘deanonymize’ individuals hidden in anonymized data with astonishing ease.”

Ohm’s article describes HIPAA, in particular, as a fig leaf – or worse, as kudzu choking off the free flow of information.

“[I]t is hard to imagine another privacy problem with such starkly presented benefits and costs. On the one hand, when medical researchers can freely trade information, they can develop treatments to ease human suffering and save lives. On the other hand, our medical secrets are among the most sensitive we hold.”