The Business Associate Agreement is an important document that’s signed between the cloud service provider and the application developer. The purpose of the document is to have both parties work as a team. The cloud service provider is in charge of security from the application layer down, and the application developer needs to ensure that his code in his application is following the HIPAA standards.
The document really should be seen as an agreement where both parties work hand in hand. For example, if the developer sees something when they log into their work that doesn’t seem right to them, like file permissions, they should just quickly email the cloud service provider, and say, Hey, I noticed something that might be off. Also, the cloud service provider, if they’re doing their work as assistant administrator but somehow notices there’s something in the application that doesn’t seem right, they should notify the application developer. It’s helpful not to have finger-pointing but instead realize that both companies, both parties are liable if there’s a breach; neither one’s going to get off the hook.
So this in a nutshell is what the Business Associate Agreement is all about.