For those that are hosting Protected Health Information (PHI) and are searching for a HIPAA compliant web host, one of the key components is the Business Associate Agreement or BAA. A BAA is an agreement between two parties where at least one of the two parties is handling PHI or Electronic Health Records (EHR).

The Business Associate Agreement outlines the responsibilities that each party has in managing the PHI or EHR data. In a web hosting scenario, typically a software development company wishes to host their health-related website on the internet. They contact the web host and enter into an agreement with the host that details the responsibilities that each party has with the goal in mind of keeping unauthorized users from accessing the PHI data.

Not all web hosting companies are willing to enter into a Business Associate Agreement. For example, Amazon Web Services (AWS), a popular and economical option, offered by Amazon is not a good fit for those requiring HIPAA compliant hosting because Amazon is unwilling to enter into a Business Associate Agreement in most cases. The reason for this is simple. Amazon is purely an IaaS (infrastructure as a service) company, and the BAA agreement calls for managed security services that go beyond the pure infrastructure play. Other large hosting providers such as Rackspace might be willing to sign.

There has been a dramatic increase in health care websites, which has in turned spawned a number of web hosting specialists that cater to the needs of those seeking HIPAA compliant hosting. One such company is HIPAA Vault. There website,, explains how their services are geared toward health care application providers.

The BAA is structured around delineating what the parties are responsible for. The hosting providers is typically handling the technical safeguards to ensure PHI data is secure while the software application publisher is responsible for creating and managing the website. Their code must adhere to security standards and the developers must agree to keep the data secure at all times. The aim of the agreement is to ensure that both parties are responsible for the safety of the data.

The BAA is an important document that keeps both parties fully aware of their shared responsibilities in managing the PHI data. After signing the agreement, neither company can claim they were ignorant of their responsibilities or shift the blame onto the other party.

We’ll analyze the BAA more closely in a future blog.