This week, the HIPAA FAQ series continues with another topic about business associate agreements (BAAs). As most Covered Entities and Business Associates know, in the event that a Covered Entity utilizes a service provider that may have access to Protected Health Information (PHI), a BAA is required. Further, in the event that a Business Associate utilizes a subcontractor that may have access to PHI, a slightly different type of BAA is required. While this rule is generally understood, applying it is not always simple. Last week, this series explored the relationship between Covered Entities, Business Associates, and their mail carriers, and explained that entities that act as mere conduits without intended access to PHI, such as mail carriers, are not considered Business Associates. This week, this series considers a related question: in the event that a Covered Entity or Business Associate utilizes a cloud storage provider to maintain PHI, does HIPAA require a BAA to be in place?
As a general principle, when a Covered Entity or Business Associate engages a cloud storage provider to house PHI, HIPAA requires that the entities first enter into a BAA because the cloud storage provider has the ability to access the information it stores. Further, in its comments to the HIPAA regulations, the U.S. Department of Health and Human Services draws a distinction between transient data and persistent data. Importantly, stored PHI is persistent in nature, which increases the opportunity for access. Thus, because a cloud storage vendor has access to stored data and maintains it on a persistent basis, such vendor that maintains PHI for a Covered Entity or Business Associate qualifies as a Business Associate itself and must sign a BAA . This is true even if the cloud storage vendor does not, in practice, access the PHI, or only does so on a random, infrequent basis.