New HIPAA Agreements Not Applicable to Self Storage

Recently, certain amendments to the Federal Health Insurance Portability and Accountability Act (HIPAA) were adopted.  These amendments became effective on March 26, 2013 and compliance with these new rules is generally required by September 23, 2013.  These new rules do not affect self storage but they are likely to cause confusion at least initially.  In light of the new rules, some of your tenants who store medical records at your self-service storage facility may ask you to sign a HIPAA “business associate” agreement.  Do NOT sign any such agreement.  If you sign a business associate agreement  you will impose significant additional requirements on your facility, and thus subject yourself to additional potential liability.  Instead, if your tenants ask you to sign a HIPAA business associate agreement, give them a copy of this article.

HIPAA was passed by Congress in 1996 and, among other things, requires certain protection and confidential handling of protected health information.

The new HIPAA rules seek to “strengthen the privacy and security protection for individuals’ health information.” Parties charged with these new protection obligations include “business associates.”  A “business associate” under HIPAA is someone who creates, receives, maintains, or transmits protected health information on behalf of an entity covered by HIPAA (an example of a covered entity would be a doctor’s office).  The legislative history to the new rules specifically states that “document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.”  This language on its face is arguably ambiguous when self-storage is considered – do you “maintain” information for your tenants?  Are you a document storage company?  TSSA legal counsel does not believe so, and fortunately, the U.S. Department of Health and Human Services agrees.

TSSA legal counsel consulted with legal counsel for the U.S. Department of Health and Human Services on this issue, and confirmed that commercial facilities, such as office buildings and self-storage facilities, that do not foreseeably have access to protected health information are NOT “business associates” under the new rules; rather, they are merely contractors.  If, however, an entity (such as Iron Mountain) is in the business of picking up, transporting and storing protected health information (whether in paper or electronic form), such that its employees could readily and regularly have access to such protected health information, it would be considered to be a “business associate” under the new HIPAA rules.

By definition, under Texas law, self-service storage units are “cared for and controlled by the tenant.”  A self-storage facility doesn’t keep a key or have ready access to the tenant’s unit, and thus does not fall under HIPAA as a business associate.

TSSA legal counsel also confirmed with the attorney for the U.S. Department of Health and Human Services that access in the event of foreclosure or some other enforcement action will NOT cause a storage facility to be classified as a “business associate.”  This is an analogous situation to a landlord who leases office space to a doctor – that landlord also has a landlord’s lien, but is not a business associate under HIPAA.

Closing Thoughts
The new HIPAA rules do NOT impact TSSA members.  The most important thing is to know that you are NOT a “business associate” under HIPAA, and should NOT sign a business associate agreement with any of your tenants.