The HIPAA Conduit Exception Rule had led to a lot of confusion for many HIPAA covered bodies, but it is crucial that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules breached and a major financial penalty issued for noncompliance.
Business Associates and the HIPAA Omnibus Final Rule
On January 25, 2013, the HIPAA Omnibus Final Rule was released. The HIPAA Omnibus Final Rule brought in a range of updates to HIPAA Rules, including the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA Omnibus Final Rule incorporated an update to the definition of a business associate. Before January 25, 2013, a business associate was an individual or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered organization. The Omnibus rule added ‘maintains’ to that definition. That meant businesses that store electronic information – or physical records – are classified as business associates. The Omnibus Rule also confirmed that most data transmission service suppliers are also classed as business associates.
Explaining the HIPAA Conduit Exception Rule
The HIPAA Conduit Exception Rule is described in the HIPAA Privacy Rule, but was defined in the HIPAA Omnibus Final Rule. The Rule permits HIPAA-covered entities to use certain vendors without having to complete a business associate agreement. The HIPAA Conduit Exception Rule is narrow and excludes an extremely restricted group of entities from having to enter into business associate agreements with covered entities. The Rule applies to groups that transmit PHI but do not have access to the transmitted information and do not store copies of data. They simply act as conduits through which PHI moves.
HIPAA Conduit Exception Rule covers groups such as the US Postal Service and certain other private couriers including Fed-Ex, UPS, and DHL as well as their electronic equivalents. Companies that simply provide data transmission services, such as internet Service Providers (ISPs), are classified as conduits.
The HIPAA Conduit Exception Rule is restricted to transmission-only services for PHI. If PHI is held by a conduit, the storage must be transient in nature, and not persistent.
It does not matter if the service provider says they do not view transmitted information. To be classified as a conduit, the service provider must not have access to PHI, must only store transmitted information temporarily, and should not have a key to recover encrypted data.
Vendors that are often wrongly classified as conduits are email service providers, fax service suppliers, cloud service providers, and SMS and messaging service providers. These service providers are NOT thought of as conduits and all must enter into a business associate agreement with a covered entity before the service being used in conjunction with any PHI.
Some service providers believe that they are conduits when they are not, in order to avoid having to complete a business associate agreement. Certain fax service providers have said they are conduits, and while they seem at face value to be an electronic equivalent to a group such as the US Postal Service, they are not covered by the HIPAA Conduit Exception Rule. Fax services do not simply share documents from the sender to the recipient. Faxes are held, and the storage is not classified as transient.
Fines for Misclassifying a Business Associate as a Conduit
Any vendor that has routine access to PHI is classified as a business associate. All business associates must sign a business associate agreement with the HIPAA-covered entity before PHI is provided or access to PHI is granted.
Wrongly classifying a vendor as a conduit instead of a business associate can result in a significant financial penalty, since PHI will have been shared without first entering into a business associate agreement.
The Department of Health and Human Services’ Office for Civil Rights has penalized many covered groups that have been discovered to have shared PHI to a vendor without obtaining a BAA.