Business Associate
Agreement

Get Started with a $250 Credit + Free HIPAA Compliant Hosting Trial

Business Associate Agreement is Available from Atlantic.Net
Start Your HIPAA Project With A Free Fully Audited HIPAA Platform Trial!

Start My Free Trial + $250 Credit!
graphic Baa Header
HIPAA Logo Grid HIPAA Logo Grid
Millions of Cloud Deployments Worldwide
Graphic Baa

HIPAA Business Associate Agreement by Atlantic.Net

As one of the leading HIPAA compliant hosting companies in the United States, Atlantic.Net (and our healthcare partners utilizing our award-winning cloud platform) are directly impacted by this amendment. Atlantic.Net can be a Business Associate of each healthcare organization with whom we process, store, manage or otherwise deal with PHI, and therefore, we are legally obliged to sign a contract of service with each organization to guarantee our HIPAA compliance status.

According to The Health Insurance Portability and Accountability Act (HIPAA), there are two different types of organizations that must ensure compliance: covered entities and business associates. Atlantic.Net™ falls into the latter category, a third-party entity contracted to handle ePHI (electronic protected health information).

In order to both comply with the law and assure our clients that we’re committed to keeping their information safe, we’ve drafted up a HIPAA Business Associate Agreement, or BAA. BAAs are a type of HIPAA-Compliant documentation that is critical to our relationship with healthcare firms and medical practitioners alike, as it firmly establishes the legal parameters for our use of ePHI. The following three components are central to this contract:

Business associate’s role – the exact nature of the third party’s interaction with the healthcare data, including any forms of use and disclosure.

Limitations – the prohibition of the third-party from any forms of use or disclosure not stated in the agreement.

Security requirements – the necessity for extensive security technologies and protocols to guard against any unauthorized use or disclosure.

In conjunction with our SOC 2 TYPE II and SOC 3 TYPE II certified data center, our BAA documentation shows that we’re committed to keeping the private healthcare information of our clients both safe and secure. Moreover, BAAs show that we’re willing to go beyond the minimum standards of compliance established in HIPAA. Healthcare organizations that choose us as a host have the peace of mind that can only come from knowing that they’re partnered with a veteran - and one that’s completely committed to their best interests, at that.

For more information about our HIPAA Business Associate Agreement or to request a copy of our agreement, please contact us today!

graphic

What is a BAA?

The HIPAA Privacy Rule amendment in 2003 introduced a new administrative safeguard declaring that all covered entities must have a signed Business Associate Agreement (BAA) in place with all Business Associates (BA) and Covered Entities that manage, process or archive Protected Health Information (PHI).

What is Baa

Looking For HIPAA Hosting?
We Can Help With A Free Assessment,
Free Trial, And A $250 Credit.

Check mark  IT Architecture Design, Security, & Guidance.

Check mark  Flexible Private, Public, & Hybrid Hosting.

Check mark  24x7x365 Security, Support, & Monitoring.

Graphic Why Choose Atlantic

Why Choose Atlantic.Net as your next Business Associate?

Atlantic.Net has built one of the most popular HIPAA compliant hosting environments available, bringing together
our 30 years of experience in the information technology sector. We know what is important to our healthcare
partners and are delighted they explicitly trust us to handle their patients’ ePHI.

Graphic

When is a HIPAA BAA required?

A BAA is not necessarily a single standalone agreement; BAAs often include a combination of service level agreements, response times for incidents, and RTO and RPO guarantees for a disaster recovery solution.

With HIPAA BAA, there are two types of business associate relationships:

  • BAA between a Covered Entity and a Business Associate
  • BAA between a Business Associate and a subcontractor
Graphic

What is a subcontractor in a BAA?

Subcontractors are vendors and third parties that provide Atlantic.Net with services for our day-to-day business operations. Any vendor Atlantic.Net engages with as part of our HIPAA compliant business offerings will sign the BAA if offering in-scope services; this task is managed by Atlantic.Net.

Graphic

What does a BAA achieve?

A HIPAA BAA creates a bond of liability, outlining the shared responsibilities of the Covered Entity and the Business Associate (in this case, Atlantic.Net). Atlantic.Net’s BAA offers assurances regarding our HIPAA and HITECH accreditations and details the guarantees we provide for each of the administrative, physical, and technical safeguards we implement to protect ePHI.

Start Your HIPAA Project With A Free
Fully Audited HIPAA Platform Trial!

HIPAA Compliant Computer & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backup, Disaster Recovery, & More!

Graphic

What guarantees does
Atlantic.Net’s BAA offer?

As a trusted business associate, Atlantic.Net can sign a business
associate agreement to:

  • Check Mark

    Adhere and uphold the requirements of HIPAA legislation, including the Security and Privacy rule amendments

  • Check Mark

    Provide a HITECH compliant hosting environment

  • Check Mark

    Not disclose PHI, except as permitted by law

  • Check Mark

    Document the in-scope PHI to be transferred, processed and archived by Atlantic.Net on behalf of the CE

  • Check Mark

    Demonstrate that proven protections are in place to prevent unlawful PHI disclosures, including technical solutions such as a VPN, TLS encryption, DR capability, and managed firewall capabilities. Click here to find out more

  • Check Mark

    Provide guaranteed escalation processes to manage any ePHI breach notifications

  • Check Mark

    Upon request, Atlantic.Net must give the HHS access to the HIPAA policy documentation and detailed logging information of user activity

  • Check Mark

    When the contract ceases, if feasible, ePHI must be returned to the Covered Entity or evidence must be provided to confirm the destruction of ePHI

  • Check Mark

    Upon request, Atlantic.Net must give the HHS access to the HIPAA policy documentation and detailed logging information of user activity

  • Check Mark

    When the contract ceases, if feasible, ePHI must be returned to the Covered Entity or evidence must be provided to confirm the destruction of ePHI

Graphic

Do Business Associates have to Comply with HIPAA?

Absolutely yes. As one of the leading HIPAA compliant hosting companies in the United States, Atlantic.Net (and our healthcare partners utilizing our award-winning cloud platform) are directly impacted by a BAA.. Atlantic.Net is a Business Associate of each healthcare organization with whom we process, store, manage or otherwise deal with PHI, and therefore, we are obliged to sign a contract of service with each organization to guarantee our HIPAA compliance status.

Graphic

Who is Considered a Business Associate Under HIPAA?

A Business Associate is someone that handles or processes Protected Health Information on behalf of the covered entity. According to the HSS.gov website:” Business associate functions and activities include claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial”

Graphic

What is an example of a Business Associate of a HIPAA Covered Entity?

Atlantic.Net is a business associate of our healthcare customers as our systems are used to store, manage and process protected health information.

Graphic

If I Share ePHI with Other Companies, Do I Need to Sign a Business Associate Agreement with them?

The quick answer is yes, but there are some exceptions. If Protected Health Information is shared it must be for a valid reason, and it can only be stored and processed as needed. Redacted PHI is different, if no personally identifiable information is used (such as name, address, social security number) then the information can be shared.

Graphic

As a software vendor, what do I need to do to become a HIPAA-compliant Business Associate?

The Business Associate (BA) governs the BA’s creation, use, maintenance, and disclosure of PHI. A typical software vendor has multiple external subcontractors and may also need to sign a BASA.

Looking For HIPAA Hosting?
We Can Help With A Free Assessment,
Free Trial, And A $250 Credit.

Check mark  IT Architecture Design, Security, & Guidance.

Check mark  Flexible Private, Public, & Hybrid Hosting.

Check mark  24x7x365 Security, Support, & Monitoring.

Baa
Baa

More About BAAs
How the BAA fits in – basic HIPAA elements & definitions

More About BAAs
How the BAA fits in – basic HIPAA elements & definitions

A brief review of HIPAA and its primary component parts allows us to place the business associate’s agreement in context.

The vast majority of healthcare companies must abide by the parameters of the Health Insurance Portability and Accountability Act (HIPAA), an Act passed by the United States Congress in 1996 that safeguards American citizens’ health data. The data that falls under the auspices of the law – as governed by the Department of Health & Human Services (HHS) – is designated, collectively, as protected health information (PHI).

PHI is typically handled by covered entities. Organizations in that category include healthcare providers, healthcare plans, and healthcare clearinghouses. Examples of each type of HIPAA-compliant organization are as follows:

  • providers – doctors, dentists, nursing homes, pharmacies, etc.
  • plans – health insurance companies, HMOs, Medicare, Medicaid, etc.
  • clearinghouses – transcription services, etc.

Any of the above organizations necessarily handle PHI as a central responsibility of their business. The Privacy Rule and Security Rule of HIPAA require covered entities to protect patient data from loss, theft, or any other misuse.

A covered entity can choose to work with a business associate, outsourcing certain aspects of operations to a trusted third party. In order to appropriately place responsibility into the hands of the external organization, both companies must agree to the terms of a BAA. By signing the agreement, the business associate agrees to safeguard PHI and to perform its obligations to the covered entity within the guidelines of HIPAA.

Hipabaa
Hipabaa

Characteristics of a HIPAA BAA

According to the HIPAA guidelines, a BAA must do the following:

describe the specific ways in which PHI is being used (transferred, processed, and/or stored) by the business associate, along with any ways in which they are being contracted by the covered entity to disclose PHI;

establish that the business associate cannot use or disclose any health data beyond the purposes established in the agreement, except in special cases when cooperating with law enforcement;

dictate that the business associate must have strong, proven protections established that disallow any malicious or otherwise unlawful PHI disclosure, use, or access – one part of which is the electronic means stipulated by the HIPAA Security Rule (including VPN capability and SSL encryption within a firewall-secured private network);

Characteristics of a HIPAA BAA

  • According to the HIPAA guidelines, a BAA must do the following:
  • Describe the specific ways in which PHI is being used (transferred, processed, and/or stored) by the business associate, along with any ways in which they are being contracted by the covered entity to disclose PHI;
  • Establish that the business associate cannot use or disclose any health data beyond the purposes established in the agreement, except in special cases when cooperating with law enforcement;
  • Dictate that the business associate must have strong, proven protections established that disallow any malicious or otherwise unlawful PHI disclosure, use, or access – one part of which is the electronic means stipulated by the HIPAA Security Rule (including VPN capability and SSL encryption within a firewall-secured private network);
  • Stipulate that the business associate must immediately notify the covered entity if PHI is used or disclosed in a manner that goes beyond the parameters established in the agreement, such as in the event of a data breach;
  • Direct the business associate that it must protect data but also make it readily available, so that individuals can get access to their medical records as established by the law and have the ability to revise their PHI according to the amending/accounting guidelines set forth in HIPAA;
  • Outline the business associate to follow the Privacy Rule of HIPAA (to whatever degree the covered entity is entrusting the business associate to handle privacy-related activities);
  • State that the business associate must allow the Department of Health & Human Services access to its policy documents and all accounting files that pertain to PHI use and disclosure – whether the applicable data is obtained directly from the covered entity or representing its interests – so that the US government can properly determine compliance;
  • Delineate the need for the business associate to return any PHI to the covered entity or to completely delete all PHI data – whether that data was obtained via the covered entity or in the business associate’s capacity as its representative – if and when the agreement between the two parties ends, if such return or deletion is possible and reasonably accomplished;
  • Hold the business associate responsible for its relationship with subcontractors who may additionally be exposed to PHI, so that they are held accountable with the same requirements that pertain to the business associate; and
  • Allow the covered entity to cancel the agreement at any time if the business associate is in noncompliance with any of its stipulations.

Want to know more about the technical safeguards of our HIPAA hosting solution? Check out our HIPAA hosting page.


Read More About HIPAA IT Compliance


Start Your HIPAA Project With A Free
Fully Audited HIPAA Platform Trial!

HIPAA Compliant Computer & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backup, Disaster Recovery, & More!

Our Data Center Certifications

Certifications Logo Grid

Award-Winning Service

Award Winning Service Logo

Millions of Cloud Deployments Worldwide

Trusted by Atlantic.Net

® Each logo is the registered trademark of its respective company.

In The News

In The News Logo Grid

Dedicated to Your Success

Jason Profile Picture

- Jason Coleman

VP of Information Technology, Orlando Magic

"After evaluating a range of managed hosting options to support our data operations, we chose Atlantic.Net because of their superior infrastructure and extensive technical knowledge."

Erin Profile Picture

- Erin Chapple

General Manager for Windows Server, Microsoft Corp.

"Atlantic.Net’s support for Windows Server Containers in their cloud platform brings additional choice and options for our joint customers in search of flexible and innovative cloud services."

Form Icon

Share Your Vision With Us

And We Will Develop a Hosting Environment Tailored to Your Needs!

Contact an advisor at 866-618-DATA (3282), email [email protected], or fill out the form below.

Don't just take our word for it: Cyber Defense Magazine recognized Atlantic.Net as "Best Solution: Cybersecurity Healthcare Practices" in the 2023 Global Infosec Awards.

Support Icon

See how we are different and how we help our customers win.

Call or email us now.