1. What is the appropriate HIPAA relationship between a business associate (company A) and another vendor (company B) that is providing services to a covered entity related to hosting the covered entity’s data in the cloud?

Company A is providing services to a covered entity that requires it to be a business associate of the covered entity along with requiring it to sign a business associate contract (BAC) with the covered entity. The BAC should have a stipulation that any subcontractor (in this case, Company B) of Company A be required to secure electronic protected health information (EPHI) just as Company A is required by the BAC to secure EPHI. You could think of it as an “inherent requirement” that ...