Store PHI? You are a Business Associate

December 14, 2015

Here is what the HIPAA rules state about data storage companies:

“For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis,” the rule states. “Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.”

This is an area where many document storage companies including cloud computing are either uninformed, misinformed, or willfully negligent. I hear the arguments such as “we only store a little bit of pretty insignificant patient data that is not really PHI” or “we store PHI and could access it but we never actually acess it”. Sometimes I hear an argument from the past, “ we are only a conduit and therefore not subject to HIPAA”

Since as we all know, ignorantia legis neminem excusat, or ignorance of the law is no excuse, these arguments will not suffice for either a client, a business partner or an auditor. A corollary to this is that, not requiring a storage company to sign a busines associate agreement and enforcing it, wll not suffice for a covered entity. This qualfies as willful neglect.

We have had over two years for the rules encompassed in the Omnibus Rule to have been absorbed and adhered to by both covered entities and more importantly business associates. 2016 will usher in a new era for both as auditors will be examining the compliance of both in unannounced audits. If the covered entity has not required the business associate to be HIPAA c ompliant they are at fault. If the business associate is not compliant they are at fault.

To a great extent HHS is relying on the covered entity to monitor and enforce HIPAA compliance by their business associates. If they don’t and either a breach happens or one of the parties is audited the will both fail.

2016 is the time for both covered entities and business associate to get serious about HIPAA compliance.


Back to News