Cloud Storage Providers Storing Protected Health Information May Be Obligated to Comply with HIPAA Regulations

by Wilson Sonsini Goodrich & Rosati

A recently issued government rule may unknowingly create significant liability and legal risk for many technology enterprises. The expanded definition of "business associates" and related interpretations by the Department of Health and Human Services (HHS) suggest that many companies should revisit how they provide services and ask whether they are providing their services to health care providers, health plans, or health care clearing houses (collectively, "covered entities"). HHS seeks to implement the mandates of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) by modifying its regulatory scheme (the "HIPAA Rules") that implements the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 Two of the most important changes involve "business associates," defined as entities that perform functions or activities on behalf of covered entities or other business associates that involve the use or disclosure of protected health information (PHI). Among many other changes, the omnibus rule:

  1. expanded the definition of "business associate" and
  2. placed the obligation of HIPAA compliance directly on business associates.

Companies Storing PHI May Be Business Associates

Under the new rule, any entity "that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information" is a "business associate."2 HHS considers entities to be business associates when they persistently store PHI; however, entities that act as mere conduits for the transmission of PHI, possessing the PHI for only a brief period of time to facilitate a data transfer, are likely not business associates. Addressing the question of where to draw the line between a business associate and a conduit, in the guidance accompanying the omnibus rule, HHS states that the determination is "based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity." In essence, entities that deal with PHI in a transient manner are not business associates, but all other entities are business associates to the extent that they deal with PHI for covered entities or business associates. Many entities historically took the position that because they neither accessed nor maintained PHI in any knowing way, they were not business associates. Instead, they maintained that their activities were incidental to the provision of their services and they should not be treated as business associates under the statute.

Storage Providers May Be Business Associates Even Without Tangible Access or Use of PHI

The newly released rule may give cause for alarm among many technology companies that provide services to health-related businesses. Many such businesses historically have given little thought to whether or not their customers were covered entities under HIPAA. Or, because they did not have access to any PHI, they believed the HIPAA rules did not apply. Under the omnibus rule, however, whether an entity actually accesses the PHI is irrelevant to HHS's determination of whether an entity is a business associate. Per HHS, "An entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information." Further, HHS specifically calls out data storage companies and explains that they are in fact business associates, regardless of whether they ever actually access the PHI that they store.

The significance of "maintaining" data for many companies cannot be understated. The application of HIPAA regulations to entities that store data should strongly encourage many entities to consider re-evaluating their policies and compliance strategies and review their client bases to evaluate risk exposure and liability under the HIPAA Rule.

Storage Providers May Be Business Associates Even Without a Direct Relationship with a Covered Entity

HITECH also contains, and the HIPAA omnibus rule reflects, a mandate that subcontractors of business associates be directly required to comply with all regulations applicable to business associates. HHS explained that this requirement reflects an effort to "avoid having privacy and security protections for protected health information lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity."

This regulation shift directly affects data storage providers to the extent that they store PHI downstream from a covered entity. Cloud providers that simply transmit PHI likely are not business associates, but once a cloud provider stores the PHI in anything other than a transient manner, according to HHS, it may assume the role of a business associate, even if (1) it never accesses the PHI, and (2) it did not receive the PHI directly from a covered entity. Even cloud providers that store PHI far down the chain of service providers from the covered entity may have HIPAA compliance obligations. Given that many providers often lack any specific knowledge or awareness of the type and nature of client data they may maintain, and often do so specifically for privacy and security reasons, the new rule could easily catch many off guard.

Compliance Risks for Data Storage Providers: Direct Liability and Civil and Criminal Penalties

Prior to HITECH, covered entities were directly responsible for compliance with HIPAA regulations, while business associates were contractually obligated to meet regulation requirements via their business associate agreements with covered entities. While covered entities could face government enforcement actions, the risk to business associates was historically limited to private lawsuits from their customers and indemnity obligations in most cases.

The omnibus rule makes business associates directly responsible for compliance with applicable HIPAA regulations. From a practical standpoint, for entities formerly contractually obligated to comply, this change may have no effect. However, for entities such as cloud storage providers and subcontractors that may have no—or incomplete—preexisting compliance obligations, the impact is significant. Moreover, a considerable amount of the compliance risks are now shifted from the shoulders of the covered entity to the entities that it works with—and every entity downstream from the covered entity. As HHS stated in the omnibus rule guidance, "we believe that making subcontractors directly liable for violations of the applicable provisions of the HIPAA Rules will help to alleviate concern on the part of covered entities that protected health information is not adequately protected when provided to subcontractors."

Direct responsibility for, and liability for lack of, HIPAA compliance is especially significant in light of the considerable monetary and criminal penalty provisions mandated by HITECH. Failure to comply can result in sizable fines and even imprisonment.3 For example, the minimum fine is $100 per violation, with a calendar-year cap of $25,000 for identical violations, and the maximum fine can be as high as $50,000 per violation, with a $1.5 million calendar-year cap for identical violations. As another example, any person, including an employee of a covered entity or business associate, that commits certain acts knowingly may be fined up to $250,000 and/or imprisoned for up to 10 years.

Notably, while business associates now have direct compliance responsibility, they also retain contractual responsibility and risk. The omnibus rule kept the preexisting requirement that covered entities and business associates execute specific business associate agreements. So, business associates must still provide contractual assurances that they will comply with HIPAA regulations. Further, contractual obligations and risk flow down the relationship chain, as subcontractors also must execute such agreements with business associates. As HHS stated in the omnibus rule guidance, "covered entities must ensure that they obtain satisfactory assurances required by the Rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far 'down the chain' the information flows."


In view of these significant changes to HIPAA regulations and HHS's explicit contemplation of data storage providers as business associates, entities that provide such services should consider a review of their policies and procedures for privacy and data security. In doing so, evaluation of customer profiles and relationships and performance of risk assessments regarding potential storage of PHI may make sense. A challenge under the new regulations is the risk that data storage providers may unknowingly receive PHI from clients, and thereby may become subject to penalties and enforcement actions. As a consequence, some businesses may seek to bring their security measures into compliance without knowing for certain whether the rules apply or they may evaluate ways to expressly exclude entities possessing PHI from their services in efforts to avoid unnecessary liability.

Wilson Sonsini Goodrich & Rosati attorneys regularly assist clients with all aspects of their privacy and information governance needs, including HIPAA compliance evaluations, contractual issues related to health information, security incident responses, and incident avoidance. For additional information, please contact Gerry Stegmaier at or (202) 973-8809, Wendy Devine at or (858) 350-2321, or Wendell Bartnick at or (202) 973-8963.

1 Changes also were made according to the Genetic Information Nondiscrimination Act.

2 For additional detail, please see our prior WSGR Alert at

3 For additional detail, please see our prior WSGR Alerts at and

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.