Crowell & MoringRobin B. Campbell

The Health Insurance Portability and Accountability Act (HIPAA) final rule published on January 25, 2013 contains important changes that affect data management organizations, such as cloud providers. In many cases, entities that have access to health information will be considered “Business Associates.” Such entities would therefore be required to comply with HIPAA’s extensive security provisions within the next six months and could face significant liability for the failure to do so. This may be particularly troublesome for cloud providers and e-discovery vendors because such requirements and potential liability may apply even where vendors do not actively solicit health information.

In general, entities that create, receive, maintain, or transmit information about health care treatment or payment (referred to as “Protected Health Information” or “PHI”) on behalf of Covered Entities (i.e., health care providers, health plans, and health care clearinghouses) are considered “Business Associates.” Under the final rule, Business Associates and any downstream subcontractors must now comply with many of the security requirements set forth in the HIPAA regulations, a more detailed analysis of which is available here. The failure to comply with HIPAA regulations may lead to significant monetary penalties and government investigations, discussed in more depth here.

The HIPAA regulations, however, previously carved out an exception to the definition of “business associate” for entities that merely serve as “conduits” through which PHI travels (such as the United States Postal Service). Many data storage companies had sought to expand this exception in the final rule to cover arrangements in which an entity stores, but does not normally access, PHI that it maintains on behalf of a covered entity. The final rule, however, rejected attempts to exempt more entities from HIPAA compliance. Instead, business associates now include: (1) Health Information Organizations (HIO), E-prescribing Gateways, or other persons that provide data transmission services involving PHI to a covered entity and that requires routine access to such PHI; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity (i.e., a personal health record vendor or PHV). Although the final rule does not provide a bright line for what constitutes “routine access,” the rule did clarify that the conduit exception is intended to exclude only those entities providing courier services, such as the U.S. Postal Service or United Parcel Service and their electronic data transmission equivalents, such as internet service providers (ISPs). Cloud providers and other vendors that maintain PHI must therefore determine their status under HIPAA and ensure that they are fully compliant with HIPAA requirements and contracts imposing HIPAA obligations. A more detailed analysis of the conduit exception and its applicability is available here.

Further analysis of the HIPAA final rule is also available here.