GxP and Business Associates: Does it exist like HIPAA?

A Business Associate is a vendor who works with a Covered Entity within the terms set forth by HIPAA. A Business Associate Agreement, or BAA, is the contract between parties who handle Protected Health Information, or PHI.

The intent of a BAA is to outline ownership of risk and liability as defined by HIPAA. A chain of risk is then created as BAs sign BAAs with other Subcontractor BAs.

GxP does not have the concept or BAAs or contracts that outline risk. There is no concept of inheritance or chaining liability.

The reason stems from a topic we discussed in our GxP primer: GxP isn't a government regulation with defined vocabulary or mandated procedures, like HIPAA or GDPR. Instead, GxP is an industry-accepted understanding of NIST standards adopted by the FDA in CFR Title 21 Chapter 11.

Nowhere are BAAs or other contracts outlined. There is no risk passed down via GxP.

Instead, when a cloud service provider, like Datica, claims GxP compliance, they are claiming that they have been audited against the interpretations of FDA guidelines. Whatever relationships that business has with its partners — like Datica with AWS — is immaterial. For example, a customer of Datica is only concerned if Datica itself is GxP compliant; contrast this to HIPAA, where a customer of Datica is also concerned what BAA inheritance Datica has with its partners.

For more information on HIPAA, check out the Datica Blog. Additional questions? Contact one of our experts today.