Business Associate or Conduit? Why a BAA likely applies to you.

BAA protect PHI

Ever run into a vendor who claims to be a conduit versus a business associate (BA)? It happens all too often, in my experience. Here’s the problem: the conduit exception is a narrow one. If you’re storing PHI data, even encrypted PHI where you don’t have the encryption key, you’re a BA. Sign the Business … Read more

Word of Warning: Does Not Sign Business Associate Agreements


A few days ago, after making multiple attempts on behalf of a client to verify and clarify how supports HIPAA compliance, specifically participating in Business Associate Agreements, I found that they do not. In fact, they do not consider themselves subject to HIPAA regulations, regardless of the possibility of PHI being stored on the … Read more

OCR Confirms that an EHR Kill Switch Violates HIPAA

If you’re a digital health vendor with an EHR product, take heed. Simply because your client hasn’t paid you for implementation, or you’ve had a disagreement about the product, doesn’t mean you can refuse them access to the EHR and the ePHI within. It’s a HIPAA violation. You can check out the FAQ, aka the … Read more