The recently-promulgated final regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) take a broader view of entities that are considered business associates and require additional contracting between business associates. One somewhat surprising "clarification" under these broader rules is that storage providers, including cloud-based storage providers, can be considered business associates of covered entities or other business associates with which they do business. As such, in order to comply with HIPAA, covered entities and business associates may need to enter into business associate agreements with these storage providers. These rules provide that if an entity has ongoing custody of protected health information ("PHI") under HIPAA, then the entity must comply with HIPAA's requirements even if the entity does not actually access the stored materials that contain the PHI. The rules distinguish between entities that have ongoing custody of PHI and those that act as mere conduits of PHI (such as the mail service) based on the transitory nature of the PHI that flows through such a conduit. One point on which additional guidance is expected is whether an organization that stores encrypted data without a key to access the stored data is carved out from the business associate definition.
TIP: It is important for covered entities and business associates to identify and properly contract with their business associates to help ensure that protected health information is properly treated and protected as required under HIPAA. In addition, it is important for entities that store PHI to conduct an analysis to determine if they are business associateand thus directly responsible for complying with a host of HIPAA requirements.