Data Centers and HIPAA: Navigating an Evolving Compliance Landscape

Data centers provide co‑location, electrical power and connectivity for a wide variety of industries. When customers use that infrastructure to house servers containing protected health information (PHI), operators must consider whether the federal Health Insurance Portability and Accountability Act (HIPAA) applies to their operations. The stakes are high: under HIPAA, mishandling of PHI can lead to significant penalties, so knowing when compliance obligations attach is essential.

The Regulatory Framework: Covered Entities, Business Associates and Subcontractors

HIPAA’s privacy and security rules apply to three categories of actors: “covered entities,” “business associates” and “subcontractors.” Covered entities include health plans, healthcare clearinghouses and most healthcare providers. Business associates are enterprises that perform services for covered entities and, in doing so, create, receive, maintain or transmit PHI. Subcontractors provide PHI‑related services to business associates. HIPAA also treats organizations that routinely transmit PHI as business associates.

On its face, a data center may seem agnostic—supplying racks and cooling without regard to whether the tenant is a healthcare organization. However, when a data center houses customer hardware storing PHI, it must ask whether it falls within HIPAA’s definition of a business associate and, if so, whether a business associate agreement (BAA) is required. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA and has refined its position on PHI storage over time.

From Physical Records to Cloud Services: Shifting Agency Guidance

Early Letter to a Storage VendorIn a 2003 letter to Tindall Record Storage, OCR opined that a document storage company did not need a BAA when it maintained closed and sealed containers of PHI and could not access the contents. Applying that logic to colocation services, one might conclude that a data center lacking access to its clients’ data would avoid business‑associate status. Subsequent statutory amendments and guidance, however, have eroded this narrow view.

The HITECH Act and the 2013 Omnibus RuleCongress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This statute expanded HIPAA’s reach by requiring business associates to comply directly with the security rule and to honor the privacy provisions set forth in their BAAs. When OCR finalized regulations implementing the HITECH Act in 2013, it recast the earlier Tindall guidance. The preamble to those regulations labelled a record storage company that held boxes of paper records—but lacked knowledge of the individuals—a business associate. This shift signaled that simply lacking direct access to PHI no longer shielded service providers from HIPAA.

2016 Guidance on Cloud Service ProvidersIn 2016, OCR published informal guidance clarifying that cloud service providers (CSPs) qualify as business associates when they process or store electronic PHI (ePHI), even if the ePHI is encrypted and the CSP has no decryption key. OCR explained that encryption alone does not absolve a service provider from HIPAA’s safeguards, such as disaster recovery and physical security measures. While certain compliance tasks—like user authentication—may be handled by the covered entity when the CSP cannot access PHI, these responsibilities must be allocated in the BAA. Collectively, this guidance underscores that digital storage and transmission services are subject to HIPAA even when the provider does not actively view the data.

When a Data Center Is a Business Associate: Compliance Obligations

If a data center meets HIPAA’s definition of a business associate, it must develop a comprehensive HIPAA compliance program. Key obligations include:

• Inventory of PHI storage: Operators should identify where PHI resides within their facilities and understand how it is stored and maintained.

• Thorough risk analysis: They must assess potential threats and vulnerabilities to ePHI and document how identified risks will be mitigated.

• Designation of a security official: A responsible individual should be appointed to craft and implement policies and procedures that ensure compliance.

• Workforce training: Personnel should receive training on the HIPAA requirements relevant to their duties.

• Flow‑down requirements: BAAs must be executed with subcontractors who touch or maintain PHI so that they too abide by HIPAA.

• 
  

It is important to note that existing physical and technical safeguards, while essential, may be insufficient by themselves. When serving covered entities or business associates, data centers must integrate HIPAA‑specific controls into their operations.