PLEASE SEE THIS POST FOR MORE CURRENT INFORMATION: Do the HITECH Rules Really Make All Healthcare ASPS and Cloud Services Providers Business Associates?
Most of the basic analysis applicable to determining whether a could services provider is a Business Associate is the same as the analysis applicable to all types of application and IT services providers in Section 11. The analysis is highly fact-specific and principally considers whether or not the provision of services requires any routine access to PHI, and if not whether the vendor has the ability to access any PHI. The most prudent interpretation of this latter requirement is that the PHI is encrypted to the standards of the Security Breach Notification Rule guidance, and the vendor doesn’t have access to the encryption keys.