True or False: A vendor that stores encrypted copies of files from a covered entity is not a Business Associate because the ePHI is unreadable.

The assertion that a vendor storing encrypted copies of files from a covered entity is not a Business Associate solely because the electronic Protected Health Information (ePHI) is encrypted is false. Under the Health Insurance Portability and Accountability Act (HIPAA), a Business Associate is defined as a person or entity that performs functions or activities on behalf of a covered entity that involves the use or disclosure of protected health information.

Even if the data is encrypted and therefore unreadable without the proper decryption key, the vendor is still handling ePHI on behalf of the covered entity. The requirement for Business Associate status applies regardless of the encryption status of the data. Therefore, the relationship and the use of ePHI dictate the Business Associate classification, not the readability of the information.

This underscores the principle that the protection of ePHI is paramount, and the vendor's role and responsibilities in working with that information must be clearly defined in a Business Associate Agreement (BAA), regardless of whether the data is encrypted.