News
Datica and Sansoro Health merge to help accelerate healthcare’s data-driven future in the cloud.
Read the Announcement
Compliance
Cloud Compliance
We're the experts at understanding the exact policies and procedures required to make public cloud architecture HIPAA compliant so you can pass a HITRUST CSF assessment.
Product Family
- Datica Monitor
  Know the precise compliance state of your cloud services
- Compliant Kubernetes Service
  A compliant kubernetes cluster for enterprise scalability
Integration
EHR Integration
Datica's approach to integration removes the stress and frustration of complex healthcare data integration problems and lets you focus on your products.
Product Family
- Datica Integrate
  The industry's first any-to-any solution combining health data integration and compliance.
Learn
Learn
Master the complexities of cloud compliance and EHR integration
Company
About Datica
Datica exists to help you make the most of the healthcare cloud.
Contact Us
Help
Help
Already a Datica customer? Get help with products and services.
Subscribe to our newsletter
Subscribe to the Datica newsletter today.
Subscribe to the Datica newsletter
Get Pricing (888) 377-3184

GxP and Business Associates: Does it exist like HIPAA?

Kris Gösser

Datica Alumni — Former Chief Marketing Officer

February 8, 2018 GxP

A Business Associate is a vendor who works with a Covered Entity within the terms set forth by HIPAA. A Business Associate Agreement, or BAA, is the contract between parties who handle Protected Health Information, or PHI.

The intent of a BAA is to outline ownership of risk and liability as defined by HIPAA. A chain of risk is then created as BAs sign BAAs with other Subcontractor BAs.

GxP does not have the concept or BAAs or contracts that outline risk. There is no concept of inheritance or chaining liability.

The reason stems from a topic we discussed in our GxP primer: GxP isn’t a government regulation with defined vocabulary or mandated procedures, like HIPAA or GDPR. Instead, GxP is an industry-accepted understanding of NIST standards adopted by the FDA in CFR Title 21 Chapter 11.

Nowhere are BAAs or other contracts outlined. There is no risk passed down via GxP.

Instead, when a cloud service provider, like Datica, claims GxP compliance, they are claiming that they have been audited against the interpretations of FDA guidelines. Whatever relationships that business has with its partners — like Datica with AWS or Microsoft Azure — is immaterial. For example, a customer of Datica is only concerned if Datica itself is GxP compliant; contrast this to HIPAA, where a customer of Datica is also concerned what BAA inheritance Datica has with its partners.

Related Academy Articles

GxP stands for “Good Practice” and is a set of operational controls for Life Sciences organizations working within the confines of the FDA. Learn more about GxP compliance.

5 Steps to HITRUST CSF Certification

Complying with HIPAA and proving it are two very different things. Datica is HIPAA compliant AND can prove it with our HITRUST CSF certification.

What is the Cost of HITRUST CSF Certification in 2019?

The costs for a HITRUST Certification in 2019 have gone up as the HITRUST CSF has evolved and become more complex.

Should I Build or Buy Compliance and Integrations in 2019?

What’s it cost to build vs buy both cloud compliance and EHR integration in 2019? Hundreds of thousands of dollars. Every. Year. Get the details and costs in this overview of Datica’s 2019 TCO guides.