A New HIPAA rule defines cloud hosting companies as ‘business associates’.
As business associates, these data hosting companies must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the U.S. Department of Health and Human Services (HHS). Companies that host data in the cloud or provide backup services will be responsible for health information leaks.
Another important note: Health and Human Services has increased the maximum penalty for noncompliance from $250,000 to $1.5 million per violation.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html