HIPAA Blog

[ Tuesday, May 07, 2013 ]

 

"Storage" Creates a BA Relationship: Where do you store your old medical records?  Lots of small practices rent a self-storage unit somewhere to keep boxes of old paper medical records.  Those storage facilities don't consider themselves to be in the "medical record storage" business, don't intend to access the records, don't "maintain" them in the traditional sense of the word, don't have policies and procedures or other safeguards in place (other than locks on the doors), and probably won't be willing to sign a business associate agreement (or if they sign one, probably wouldn't do a good job of complying with it).  In common-law terms, there is no "bailment," and they don't consider themselves to be bailees.  Under the original HIPAA rules, they had a very strong argument that they were not business associates.

However, under the Omnibus Rule, they almost certainly are business associates.  Even if they protest and deny any intent to become one, they probably still are.  "Conduits" such as the post office, FedEx and UPS get a special exception, but storage companies don't.  Here's what the commentary in the Omnibus Rule says:

We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information. We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information. However, the difference between the two situations is the transient versus persistent nature of that opportunity. For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. To help clarify this point, we have modified the definition of “business associate” to generally provide that a business associate includes a person who “creates, receives, maintains, or transmits” (emphasis added) protected health information on behalf of a covered entity.
 Document storage companies like Iron Mountain clearly are covered; what about regular storage companies who don't specialize in storing documents, but are simply self-storage warehouses?  Given that the risk of improper access (by an inside or outside actor) are basically the same, I would think you must treat them the same. 


Jeff [11:37 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template