When Does the HIPAA Conduit Exception Rule Apply?

GeneFry-200By Gene Fry, Scrypt, Inc.
Twitter: @ScryptInc

The HIPAA conduit exception rule is only applicable to providers of purely conduit services who do not have access to protected health information (PHI) other than infrequently or randomly. For this reason, conduit providers do not have to sign a Business Associate Agreement (BAA). But what exactly is a conduit service, and when does the HIPAA conduit exception rule apply?

Who is considered to be a conduit?
Any entities that simply transport or transmit PHI such as the United States Postal Service and couriers, (as they do not have routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended) are considered to be a conduit.

When it comes to electronic protected health information (ePHI), it can be difficult for healthcare organizations to differentiate between which providers are conduits, and which are not. Occasional, random access by a data transmission entity does not necessarily make the entity a HIPAA business associate, and this is where it gets confusing.

An ISP (internet service provider) is a conduit, as they review whether ePHI being transmitted over its network is arriving to its intended destination, but do not access or store the data; however, a cloud fax, SMS or email provider is considered to be a business associate, as they transmit ePHI on behalf of a covered entity.

When does the HIPAA conduit exception rule apply?
This is where the preamble to the rule comes in. The preamble explicitly states that the “mere conduit” exception is intended to include organizations that deal with “any temporary storage of transmitted data incident to such transmission.” The preamble goes on to define the distinction between transmission (including incidental storage associated with such transmission) and ongoing storage.

The key difference between these two situations “is the transient versus persistent nature of” the opportunity to access PHI.

What happens if I think my provider should have signed a BAA?
The HIPAA Privacy and Security Rules defines a business associate as:

“[a] Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”

If you have any doubts about whether a BAA is in place for the provider that handles personal health information for your organization, it is crucial that you confirm whether they will sign one. Without this agreement, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant. This also means that a covered entity would be held accountable should a data breach occur, as well as for not ensuring a BAA is in place. This is likely to result in the covered entity being penalized for noncompliance – and fines are hefty.

How can providers claim to be HIPAA compliant without signing a BAA?
By stating that they are acting as a ‘simple conduit for information’, some providers are able to state that they are excluded from the HIPAA definition of a business associate. While this may be the case for a small number of providers, if they are offering services which involve transmitting, receiving or storing PHI, there is no doubt that they are a business associate and must therefore sign a BAA.

If a provider who is unwilling to sign a BAA states that they will disable or delete emails, SMS, faxes, voicemails and recordings after a short period, they are freely admitting that they have more than infrequent or random access to PHI and should be classed as a business associate.

Some telecommunications providers may also claim to be HIPAA compliant, but this is only applicable to services they offer that are purely conduit. In this instance, if they also provide fax and SMS as part of their offering, these services may not actually be HIPAA compliant, and it is likely that they will not sign a BAA with organizations who require only these services.

By refusing to sign a BAA, these providers are putting their customers at risk of not being compliant.

Which providers should I have to sign a BAA with?
An entity that manages the transmission and storage of PHI is a business associate. This may include:

  • hosting companies
  • fax providers
  • email providers
  • SMS or other mobile messaging providers
  • EHR providers

The advice from David Holtzman, formerly of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division, in regards to providers who will not sign a BAA is: “If they refuse to sign, don’t use the service”.

About the Author: Gene joined the Scrypt, Inc. family in October of 2001. He has 25 years of IT experience working in industries such as healthcare and for companies based in the U.S. and in Latin America. Gene is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute.