[boas]

According to Amazon, their employees are not allowed to access to your data, so you don't need to sign a business associate agreement with them to be HIPAA compliant. I imagine this is similar to how sending patient information through the post office is not considered a disclosure to the post office.

[Spooky23]

Unfortunately, contracts with most medical companies or governments handling HIPPA data disagree.

[twistedpair]

Actually the HMO I worked for did. Every vendor such as ISP's, Colo's, and some API suppliers had to sign the CYA agreement. Most of them are aghast when you ask them to sign. Basically they have to take on all of the liabilities. I've never seen it have to be exercised however.

[boas]

Do you sign business associate agreements with your colo facility, ISP, and landlord? They also are physically capable of accessing your data, even though they are legally or contractually forbidden from doing so.

[Spooky23]

The orgs that I have worked with draw the line somewhere between colo and ISP. Anyone with potential access to unencrypted network traffic or whom is operating equipment containing affected data. Usually the lawyers can agree to contractural terms for the landlord without a BAA

I'm not arguing that it makes sense, just that it happens.