As required by HIPAA and HITRUST CSF regulations, before any PHI data can be stored in Snowflake, a signed business associate agreement (BAA) must be in place.

The essential idea is that handling PHI with any external service requires a formal agreement that imposes safeguards and responsibilities. Under HIPAA, a business associate agreement is required whenever a covered entity engages a third party to handle PHI. Snowflake, when it stores or processes PHI on behalf of a covered entity, functions as a business associate in that context, so a signed BAA must be in place before PHI is stored there. HITRUST CSF supports this by requiring appropriate contractual protections with vendors that handle PHI to ensure ongoing compliance. This obligation isn’t limited to the United States; HIPAA concerns PHI of US persons and applies to engagements with providers outside the US as long as PHI is involved. So the statement is true.