A business associate may only use and disclose PHI as permitted by its BAA and the Privacy Rule, or as otherwise required by law. While a CSP that provides only no-view services to a covered entity or business associate customer may not control who views the ePHI, the CSP still must ensure that it itself only uses and discloses the encrypted information as permitted by its BAA and the Privacy Rule, or as otherwise required by law. This includes, for example, ensuring the CSP does not impermissibly use the ePHI by blocking or terminating access by the customer to the ePHI.[ii]
Further, a BAA must include provisions that require the business associate to, among other things, make available PHI as necessary for the covered entity to meet its obligations to provide individuals with their rights to access, amend, and receive an accounting of certain disclosures of PHI in compliance with 45 CFR § 164.504(e)(2)(ii)(E)-(G). The BAA between a no-view CSP and a covered entity or business associate customer should describe in what manner the no-view CSP will meet these obligations – for example, a CSP may agree in the BAA that it will make the ePHI available to the customer for the purpose of incorporating amendments to ePHI requested by the individual, but only the customer will make those amendments.