What is GxP?
GxP stands for "Good Practice" and is a set of operational controls for Life Sciences organizations working within the confines of the FDA. Learn more about GxP compliance.
Master the complexities of cloud compliance with expert resources and relevant insights.
A Business Associate is a vendor who works with a Covered Entity within the terms set forth by HIPAA. A Business Associate Agreement, or BAA, is the contract between parties who handle Protected Health Information, or PHI.
The intent of a BAA is to outline ownership of risk and liability as defined by HIPAA. A chain of risk is then created as BAs sign BAAs with other Subcontractor BAs.
GxP does not have the concept or BAAs or contracts that outline risk. There is no concept of inheritance or chaining liability.
The reason stems from a topic we discussed in our GxP primer: GxP isn't a government regulation with defined vocabulary or mandated procedures, like HIPAA or GDPR. Instead, GxP is an industry-accepted understanding of NIST standards adopted by the FDA in CFR Title 21 Chapter 11.
Nowhere are BAAs or other contracts outlined. There is no risk passed down via GxP.
Instead, when a cloud service provider, like Datica, claims GxP compliance, they are claiming that they have been audited against the interpretations of FDA guidelines. Whatever relationships that business has with its partners — like Datica with AWS — is immaterial. For example, a customer of Datica is only concerned if Datica itself is GxP compliant; contrast this to HIPAA, where a customer of Datica is also concerned what BAA inheritance Datica has with its partners.
For more information on HIPAA, check out the Datica Blog. Additional questions? Contact one of our experts today.
GxP stands for "Good Practice" and is a set of operational controls for Life Sciences organizations working within the confines of the FDA. Learn more about GxP compliance.
The HIPAA acronym stands for the Health Insurance Portability and Accountability Act. This HIPAA primer covers HIPAA 101 basics, meaning, entitities, etc.
Complying with HIPAA and proving it are two very different things. Let us show you the 5 Steps to HITRUST CSF Certification.