By JACOB REIDER & JODI DANIEL

Jacob: I recently needed to sign a Business Associate Agreement (BAA) with one of the large hosting providers for a new health IT project. What should have been straightforward turned into a multi-week educational exercise about basic HIPAA compliance. And when I say “basic,” I mean really basic, like the definitions in the statute itself.

Here’s what happened and why you need to watch out for this if you’re building health care technology.

I’m building a system that automates clinical data extraction for research studies. Like any responsible health care tech company, I need HIPAA-compliant infrastructure. The company (I’ll call them Hosting Company or HC) is good technically, and they’re hosting our development environment, so I signed up for their enhanced support plan (which they require before they’ll even consider a BAA) and requested their standard agreement.

The Problem

HC’s BAA assumes every customer is a “Covered Entity.” That means a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically.

But that’s not me. I’m not a Covered Entity. I’m a Business Associate (BA). I handle protected health information on behalf of Covered Entities. When I need cloud infrastructure, I need my vendors to sign subcontractor BAAs with me.

The Back and Forth

When I told HC that I couldn’t sign their BAA as written, they escalated to their legal department. Days later, a team lead came back with this response:

“To HC, even if you are a subcontracted or a down the line subcontracted association. It would still be an agreement between the covered entity within the agreement and HC… So even being a business associate, it would still be considered a covered entity since it is your business that is being covered.”

I had to read it twice. This is simply wrong.

Jodi: Let me chime in here with the legal perspective, because this confusion is more common than it should be.

The terms “Covered Entity” and “Business Associate” aren’t interchangeable marketing terms. They have specific legal definitions in 45 CFR § 160.103. You can’t just redefine them because it’s administratively convenient. Generally… covered entities are (most) health care providers, health plans, and health care clearinghouses; business associates are those entities that have access to protected health information to perform services on behalf of covered entities; and subcontractors are persons to whom a business associate delegates a function, activity, or service.

Here’s what the regulations actually say: