Excellent discussion point!
If we sell our cloud-based video product (www.rp1cloud.com) as a private cloud solution and the customer wishes to store their recordings on-site, we effectively become a conduit. The data at rest is now managed by the customer. The data in transit is the responsibility of the customer. Pragmatic is no longer a Business Associate. And as per the HIPAA conduit exception rule, HIPAA compliance no longer applies to RP1Cloud, a division of Pragmatic, and we would not need to sign a Business Associate Agreement (BAA). We see it as being the same as a telephone company, an ISP, or the Postal Service for a private cloud deployment. Here is an article that has salient points that we believe bolsters that perspective. http://www.healthcarebusinesstech.com/hipaa-conduit-exception-rule/. The fact that we provide the medium used to communicate doesn’t place us in the role of BA, as we understand it.