Disclaimer:  We are not Lawyers and are not providing Legal Advice

Because HIPAA Forms is configured such that no data is ever stored (at rest) on the hosting server, you do NOT need a BAA with your hosting provider.  The data is never "at rest' on the hosting server, the data is already encrypted and the data is transmitted using tls/ssl.  With regards to the HIPAA Forms plugin, our legal resources have established that hosting services are only transient in nature.  Hosting services are simply conduits.

In its Omnibus Rule commentary, HHS concluded that entities that do not have access to PHI on a routine basis (i.e., entities that are mere “conduits” for PHI) are not business associates or subject to HIPAA.

More details can be found HERE

Please consult with your own legal resources for further clarification.