Developers and HIPAA

Are CSPs that don't enforce ToS tacitly accepting a BA role?

I am a compliance consultant, seeing an increasing amount of concern from cloud service providers about customers/users sharing PHI via their platforms in clear violation of Terms of Service. (Depending on the platform, customers/users range from individuals to business associates to covered entities.) Specifically, the CSPs are concerned about whether allowing accounts in violation to remain active is somehow tacit acceptance of a business associate role.


Your response to a previous inquiry ( seems to indicate that a CSP that unwittingly receives and persists PHI disclosed by individuals, in violation of terms, is still a business associate. That's a very slippery slope!


Since business associates can be held directly liable under the Security Rule, even in the absence of a BAA, the CSPs who do not wish to fulfill business associate duties are anxious for clarification on this matter.


I urge you to consider this carefully, given the ramifications.

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)


2 votes
2 up votes
0 down votes
Question No. 81