HIPAA Business Associate Agreement

What is a Business Associate Agreement?

Business Associate Agreements are Available from Atlantic.Net

Trusted By Over 15,000 Businesses

Our Clients

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

What is a BAA?

The HIPAA Privacy Rule amendment in 2003 introduced a new administrative safeguard declaring that all covered entities must have a signed Business Associate Agreement (BAA) in place with all Business Associates (BA) and Covered Entities that manage, process or archive Protected Health Information (PHI).

HIPAA Business Associate Agreement:

As one of the leading HIPAA compliant hosting companies in the United States, Atlantic.Net (and our healthcare partners utilizing our award-winning cloud platform) are directly impacted by this amendment. Atlantic.Net is a Business Associate of each healthcare organization with whom we process, store, manage or otherwise deal with PHI, and therefore, we are legally obliged to sign a contract of service with each organization to guarantee our HIPAA compliance status.

When is a HIPAA BAA required?

A BAA is not necessarily a single standalone agreement; BAAs often include a combination of service level agreements, response times for incidents, and RTO and RPO guarantees for a disaster recovery solution.

With HIPAA BAA, there are two types of business associate relationships:

  • BAA between a Covered Entity and a Business Associate
  • BAA between a Business Associate and a subcontractor

What is a subcontractor in a BAA?

Subcontractors are vendors and third parties that provide Atlantic.Net with services for our day-to-day business operations. Any vendor Atlantic.Net engages with as part of our HIPAA compliant business offerings will sign the BAA if offering in-scope services; this task is managed by Atlantic.Net.

Who are Covered Entities?

A Covered Entity (CE) is any organization that handles PHI during day-to-day business operations. Most businesses working in the healthcare industry are considered Covered Entities.

The U.S. Department of Health and Human Services (HHS) officially defines a CE as:

  • Healthcare providers – doctors, dentists, nursing homes, pharmacies, etc.
  • Healthcare plans – health insurance companies, HMOs, Medicare, Medicaid, etc.
  • Clearinghouses – transcription services, etc.

Each Covered Entity has a legal requirement to protect patient data from loss, theft, and misuse. The CE may choose to work with a business associate like Atlantic.Net to outsource specific business functions, such as cloud hosting. In order to appropriately place the responsibility into the hands of a Business Associate like Atlantic.Net, both companies must agree to the terms of a BAA.

What does a BAA achieve?

A HIPAA BAA creates a bond of liability, outlining the shared responsibilities of the Covered Entity and the Business Associate (in this case, Atlantic.Net). Atlantic.Net’s BAA offers assurances regarding our HIPAA and HITECH accreditations and details the guarantees we provide for each of the administrative, physical, and technical safeguards we implement to protect ePHI.

What guarantees does Atlantic.Net’s BAA offer?

As a trusted business associate, we will:

  • Adhere and uphold the requirements of HIPAA legislation, including the Security and Privacy rule amendments
  • Provide a HITECH compliant hosting environment
  • Not disclose PHI, except as permitted by law
  • Document the in-scope PHI to be transferred, processed and archived by Atlantic.Net on behalf of the CE
  • Demonstrate that proven protections are in place to prevent unlawful PHI disclosures, including technical solutions such as a VPN, TLS encryption, DR capability, and managed firewall capabilities. Click here to find out more
  • Provide guaranteed escalation processes to manage any ePHI breach notifications
  • Upon request, Atlantic.Net must give the HHS access to the HIPAA policy documentation and detailed logging information of user activity
  • When the contract ceases, if feasible, ePHI must be returned to the Covered Entity or evidence must be provided to confirm the destruction of ePHI

Sample BAA:

Sample Business Associate Agreement

Why choose Atlantic.Net as your next Business Associate

Atlantic.Net has built one of the most popular HIPAA compliant hosting environments available, bringing together our 25 years of experience in the information technology sector. We know what is important to our healthcare partners and are delighted they explicitly trust us to handle their patients’ ePHI.

Want to know more about the technical safeguards of our HIPAA hosting solution? Check out our HIPAA hosting page.

This page was updated on June 23, 2020.

Contact Us

Share your vision with us, and we will develop a hosting environment tailored to your needs!

Contact an advisor at 888-618-DATA (3282) or fill out the form below.

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom