Disclaimer:  We are not Lawyers and are not providing Legal Advice


Because HIPAA Forms is configured such that no data is ever stored (at rest) on the hosting server, in most circumstances you should not need a BAA with your hosting provider.  The data is never "at rest' on the hosting server, the data is already encrypted and the data is transmitted using TLS/SSL.  With regards to the HIPAA Forms plugin, our legal resources have established that hosting services are only transient in nature.  Hosting services are simply conduits.


In its Omnibus Rule commentary, HHS concluded that entities that do not have access to PHI on a routine basis (i.e., entities that are mere “conduits” for PHI) are not business associates or subject to HIPAA.


More details can be found HERE


Please consult with your own legal resources for further clarification.


IMPORTANT: While HIPAA Forms is designed to ensure your website is using SSL/HTTPS and will not function under unsecured HTTP, it is the Covered Entity's responsibility to ensure other aspects of your server configuration such as load balancers also operate under HTTPS to remain HIPAA compliant.  Your hosting company and/or website administrator should be able to confirm this easily if asked.