GxP and Business Associates: Does it exist like HIPAA?

Kris Gösser
Kris Gösser

Datica Alumni — Former Chief Marketing Officer

February 8, 2018  tag GxP

A Business Associate is a vendor who works with a Covered Entity within the terms set forth by HIPAA. A Business Associate Agreement, or BAA, is the contract between parties who handle Protected Health Information, or PHI.

The intent of a BAA is to outline ownership of risk and liability as defined by HIPAA. A chain of risk is then created as BAs sign BAAs with other Subcontractor BAs.

GxP does not have the concept or BAAs or contracts that outline risk. There is no concept of inheritance or chaining liability.

The reason stems from a topic we discussed in our GxP primer: GxP isn’t a government regulation with defined vocabulary or mandated procedures, like HIPAA or GDPR. Instead, GxP is an industry-accepted understanding of NIST standards adopted by the FDA in CFR Title 21 Chapter 11.

Nowhere are BAAs or other contracts outlined. There is no risk passed down via GxP.

Instead, when a cloud service provider, like Datica, claims GxP compliance, they are claiming that they have been audited against the interpretations of FDA guidelines. Whatever relationships that business has with its partners — like Datica with AWS or Microsoft Azure — is immaterial. For example, a customer of Datica is only concerned if Datica itself is GxP compliant; contrast this to HIPAA, where a customer of Datica is also concerned what BAA inheritance Datica has with its partners.

Related Academy Articles