The Health Care Blog – Read More

By JACOB REIDER & JODI DANIEL

Jacob: I recently needed to sign a Business Associate Agreement (BAA) with one of the large hosting providers for a new health IT project. What should have been straightforward turned into a multi-week educational exercise about basic HIPAA compliance. And when I say “basic,” I mean really basic, like the definitions in the statute itself.

Here’s what happened and why you need to watch out for this if you’re building health care technology.

I’m building a system that automates clinical data extraction for research studies. Like any responsible health care tech company, I need HIPAA-compliant infrastructure. The company (I’ll call them Hosting Company or HC) is good technically, and they’re hosting our development environment, so I signed up for their enhanced support plan (which they require before they’ll even consider a BAA) and requested their standard agreement.

The Problem

HC’s BAA assumes every customer is a “Covered Entity.” That means a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically.

But that’s not me. I’m not a Covered Entity. I’m a Business Associate (BA). I handle protected health information on behalf of Covered Entities. When I need cloud infrastructure, I need my vendors to sign subcontractor BAAs with me.

The Back and Forth

When I told HC that I couldn’t sign their BAA as written, they escalated to their legal department. Days later, a team lead came back with this response:

“To HC, even if you are a subcontracted or a down the line subcontracted association. It would still be an agreement between the covered entity within the agreement and HC… So even being a business associate, it would still be considered a covered entity since it is your business that is being covered.”

I had to read it twice. This is simply wrong.

Jodi: Let me chime in here with the legal perspective, because this confusion is more common than it should be.

The terms “Covered Entity” and “Business Associate” aren’t interchangeable marketing terms. They have specific legal definitions in 45 CFR § 160.103. You can’t just redefine them because it’s administratively convenient. Generally… covered entities are (most) health care providers, health plans, and health care clearinghouses; business associates are those entities that have access to protected health information to perform services on behalf of covered entities; and subcontractors are persons to whom a business associate delegates a function, activity, or service.

Here’s what the regulations actually say:

Covered entities are required to have BAAs with the entities that use protected health information to provide services on their behalf (i.e., their business associates or BAs) under 45 CFR § 164.502(e).  Under 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), BAs are not just permitted but required to execute subcontractor BAAs with other vendors that create, receive, maintain, or transmit PHI on their behalf.

When that happens, the subcontractor also becomes a BA (sometimes called a “Business Associate of a Business Associate” or a “Subcontractor”). The HIPAA obligations cascade down the chain. Covered entities are not required to have BAAs with Subcontractors. 45 CFR § 164.502(e)(1)(i).

That’s exactly what’s happening in Jacob’s situation:

• The Covered Entities (the health care providers in the research study) have BAAs with Jacob’s company (making him a BA).
• Jacob’s company, in turn, must have BAAs with any Subcontractors like HC that may handle PHI on behalf of Jacob’s company.
• HC becomes a BA through this subcontractor relationship.

The distinction matters for compliance and audit purposes. OCR, SOC 2 auditors, and HITRUST assessors all expect the contractual chain to mirror the actual data flow. Getting the terminology wrong isn’t just semantically annoying—it is misrepresenting the regulations and the relationship between the parties in a legal document.

Jacob: Yup… and here’s the practical problem: I could not legally sign a document stating that my company is a Covered Entity when it’s not.

I explained this to HC, cited the specific CFR sections Jodi just mentioned, and even sent them examples from Google Cloud’s BAA, which handles both Covered Entities and BAs in the same document.

HC’s team said they’d request the language change, and I’m pleased to convey that (after nearly three weeks of back-and-forth) we have executed a proper BAA.

What This Means for You

Jodi: You’re right, Jacob. It’s not appropriate to sign a document that says you are a covered entity when you’re not one. If you’re building health care technology, here’s what you need to know:

1. Understand your role in the HIPAA framework. Are you a Covered Entity or a BA? Most tech companies are BAs. If you’re providing services to health care providers, health plans, or clearinghouses and you handle PHI in the process, you’re almost certainly a BA (or a subcontractor BA), not a CE. 
2. Read the BAA carefully before signing. The terminology matters. If a vendor’s BAA only contemplates Covered Entities as customers, that’s a red flag that they haven’t thought through the subcontractor scenario. (And the detailed requirements of the BAA matter too, but that is a topic for another blog).
3. Don’t be afraid to push back. If a vendor insists you sign something that mischaracterizes your role, ask them to revise the language or show you to an attorney who understands HIPAA.

Jacob: And so … 

1. Be prepared to educate. Many cloud providers’ legal teams (and their attorneys) don’t fully understand HIPAA’s cascade requirements. You may need to walk them through it. Point them to examples from AWS, Google Cloud, or Microsoft Azure, all of which have dealt with this thousands of times.
2. Budget time for this process. What should take a day can take a week or more if you hit legal confusion. Plan accordingly, especially if you have a launch deadline.

The Bigger Picture

Jacob: HC isn’t unique. I’ve seen this same confusion at smaller hosting providers, SaaS companies, and even some larger tech firms. The health care industry’s regulatory complexity means vendors often copy BAA templates without really understanding them.

The irony? HC makes you pay extra for the “privilege” of signing their BAA. They charge for enhanced support as a prerequisite. Not all cloud providers or other technology platforms charge more.

Jodi: From a legal perspective, this situation highlights a broader issue in health tech. As more non-health care companies enter the space (cloud providers, AI companies, SaaS platforms), many are encountering HIPAA requirements for the first time. Their legal teams may be excellent at tech transactions or general commercial law but unfamiliar with health care regulatory nuance.

The good news is that this is fixable. The BAA template changes HC made aren’t complex. They just needed to add language that accommodates both scenarios: customers who are Covered Entities and customers who are BAs.

Google Cloud’s BAA does this elegantly in a single sentence: “This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate.” That’s it. Problem solved.

Of course… it makes sense to have counsel who understands HIPAA take a look at the BAA before you sign, as there are a host of other issues that may impact your business and use of PHI.

Jacob: Bottom line: if you’re in a similar situation, cite the specific CFR sections (45 CFR § 160.103, § 164.502(e)(1)(ii), and § 164.308(b)(2)), show them working examples from major cloud providers, and be ready to walk away if they won’t fix it.

Jacob Reider MD is CEO of Huddle Health Solutions, Chief Health Officer at WavelyDx, and former Deputy National Coordinator for Health IT at the Office of the National Coordinator. Jodi Daniel is a partner at Wilson Sonsini Goodrich & Rosati, was the founding director of the Office of the National Coordinator for Health IT.