{"id":2281,"date":"2013-02-20T00:00:00","date_gmt":"2013-02-20T00:00:00","guid":{"rendered":"http:\/\/otava.test\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/"},"modified":"2013-02-20T00:00:00","modified_gmt":"2013-02-20T00:00:00","slug":"hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/","title":{"rendered":"HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules"},"content":{"rendered":"

\"MikeDoes your HIPAA hosting<\/a> provider have a legal BAA (business associate agreement)?<\/p>\n

I just got off the phone with our attorneys who are updating our business associate agreement to reflect the changes required in the HHS final HIPAA Privacy and Security Rules.<\/p>\n

Section 164.504 of the final ruling has a list of specific clauses that are required to be in every BAA \u2013 including cloud<\/a> and colocation<\/a> providers that house ePHI (electronic protected health information).<\/p>\n

There is no question that hosting and colocation providers<\/a> are considered business associates by the Dept. of Health & Human Services in the final ruling, and subject to the same audits and penalties by the HHS’s Office for Civil Rights.\u00a0 The challenge is how you incorporate the new HIPAA final ruling requirements<\/a> into a BAA with a hosting provider.<\/p>\n

Since there is no reason for a hosting provider to access ePHI, we believe every HIPAA compliant hosting and colocation provider should have a very strict set of policies and procedures against accessing any ePHI.\u00a0 But, providing “designated record sets” and “amending designated record sets” as required by the new HIPAA final ruling requirements into a BAA is impossible if the hosting provider doesn’t access ePHI.<\/p>\n

A properly worded BAA with your hosting provider should specifically address this “catch 22” scenario as well as the other requirements in the HHS final ruling \u2013 to protect both you and your hosting partner from creating contractual obligations in the business associate agreement that can not be met by either party.<\/p>\n

Rest assured, our updated business associate agreement\u00a0 reflects the final ruling and contractually protects both client and provider with clear responsibilities of each party.<\/p>\n

Related Links:
\nThe HIPAA Police Are On Their Way!<\/a><\/em><\/strong>
\nOne of the lesser known requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health and Human Services (HHS) to conduct periodic audits to ensure that healthcare organizations and their business associates are complying with HIPAA laws \u2026 Continue reading \u2192<\/a><\/p>\n

Final HIPAA Omnibus Rule: Business Associate Agreements & Roadmap to Compliance<\/a><\/strong><\/em>
\nIn addition to redefining business associates (BAs) and including subcontractors in the scope of liability, the final HIPAA omnibus rule has prompted the release of a new sample business associate agreement by the Dept. of Health and Human Services (HHS). \u2026 Continue reading \u2192<\/a><\/p>\n

No More Excuses: HHS Releases Tough Final HIPAA Privacy and Security Rules<\/a><\/strong><\/em>
\nJoin us January 31st @2PM ET for a webinar with Brian Balow of the Dickinson Wright law firm to find out how the latest HIPAA modifications affect the healthcare industry and healthcare vendors. Title: No More Excuses: HHS Releases Tough \u2026 Continue reading \u2192<\/a><\/p>\n

\n

\"HIPAA<\/a>Need help achieving compliance? Learn about the specific HIPAA requirements for HIPAA hosting with IT vendors with our HIPAA Compliant Hosting white paper<\/a>. With 36 pages of statistics, diagrams and researched information sourced from engineers and a CHSS (Certified HIPAA Security Specialist), this white paper is your complete guide to HIPAA hosting.<\/p>\n

Still have questions? Contact us or chat now. Learn more about our HIPAA hosting solutions, including cloud<\/a>, colocation<\/a>, managed servers<\/a> and disaster recovery<\/a>. Or, submit a quote request<\/a> today.<\/p>\n

\n","protected":false},"excerpt":{"rendered":"

Does your HIPAA hosting provider have a legal BAA (business associate agreement)? I just got off the phone with our attorneys who are updating our business associate agreement to reflect the changes required in the HHS final HIPAA Privacy and Security Rules. Section 164.504 of the final ruling has a list of specific clauses that are required to be in every BAA \u2013 including cloud and colocation providers that house ePHI (electronic protected health information). There is no question that hosting and colocation providers are considered business associates by the Dept. of Health & Human Services in the final ruling, and subject to the same audits and penalties by the HHS’s Office for Civil Rights.\u00a0 The challenge is how you incorporate the new HIPAA final ruling requirements into a BAA with a hosting provider. Since there is no reason for a hosting provider to access ePHI, we believe every HIPAA compliant hosting and colocation provider should have a very strict set of policies and procedures against accessing any ePHI.\u00a0 But, providing “designated record sets” and “amending designated record sets” as required by the new HIPAA final ruling requirements into a BAA is impossible if the hosting provider doesn’t access ePHI….<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-2281","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nHIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules | OTAVA<\/title>\n<meta name=\"description\" content=\"We believe every HIPAA compliant hosting and colocation provider should have a very strict set of policies and procedures against accessing any ePHI.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules\" \/>\n<meta property=\"og:description\" content=\"We believe every HIPAA compliant hosting and colocation provider should have a very strict set of policies and procedures against accessing any ePHI.\u00a0\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2013-02-20T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/mike-klein-150.jpg\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules\",\"datePublished\":\"2013-02-20T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/\"},\"wordCount\":532,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/mike-klein-150.jpg\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/\",\"url\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/\",\"name\":\"HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/mike-klein-150.jpg\",\"datePublished\":\"2013-02-20T00:00:00+00:00\",\"description\":\"We believe every HIPAA compliant hosting and colocation provider should have a very strict set of policies and procedures against accessing any ePHI.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#primaryimage\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/mike-klein-150.jpg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/mike-klein-150.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules | OTAVA","description":"We believe every HIPAA compliant hosting and colocation provider should have a very strict set of policies and procedures against accessing any ePHI.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/","og_locale":"en_US","og_type":"article","og_title":"HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules","og_description":"We believe every HIPAA compliant hosting and colocation provider should have a very strict set of policies and procedures against accessing any ePHI.\u00a0","og_url":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/","og_site_name":"OTAVA","article_published_time":"2013-02-20T00:00:00+00:00","og_image":[{"url":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/mike-klein-150.jpg","type":"","width":"","height":""}],"author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules","datePublished":"2013-02-20T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/"},"wordCount":532,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"image":{"@id":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#primaryimage"},"thumbnailUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/mike-klein-150.jpg","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/","url":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/","name":"HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#primaryimage"},"image":{"@id":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#primaryimage"},"thumbnailUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/mike-klein-150.jpg","datePublished":"2013-02-20T00:00:00+00:00","description":"We believe every HIPAA compliant hosting and colocation provider should have a very strict set of policies and procedures against accessing any ePHI.\u00a0","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#primaryimage","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/mike-klein-150.jpg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/mike-klein-150.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/hipaa-hosting-provider-baas-need-to-reflect-hhs-final-hipaa-privacy-security-rules\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=2281"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2281\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=2281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=2281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=2281"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=2281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}