Developers and HIPAA

Are CSPs that don't enforce ToS tacitly accepting a BA role?

I am a compliance consultant, seeing an increasing amount of concern from cloud service providers about customers/users sharing PHI via their platforms in clear violation of Terms of Service. (Depending on the platform, customers/users range from individuals to business associates to covered entities.) Specifically, the CSPs are concerned about whether allowing accounts in violation to remain active is somehow tacit acceptance of a business associate role.

 

Your response to a previous inquiry (https://hipaaqsportal.hhs.gov/a/idea-v2/166157) seems to indicate that a CSP that unwittingly receives and persists PHI disclosed by individuals, in violation of terms, is still a business associate. That's a very slippery slope!

 

Since business associates can be held directly liable under the Security Rule, even in the absence of a BAA, the CSPs who do not wish to fulfill business associate duties are anxious for clarification on this matter.

 

I urge you to consider this carefully, given the ramifications.

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor)

What is your organization? : Small company, Attorney/other compliance consultant

Voting

0 votes
0 up votes
0 down votes
Question No. 81