Many HIPAA covered entities do not fully understand the HIPAA Conduit Exception Rule. As a result, there are services that are misclassified as conduit when in reality they are business associates. This is a violation of HIPAA rules and attracts financial penalties.
The issuance of HIPAA Omnibus Final Rule on January 25, 2014 introduced an updated definition of a business associate. A business associate does not only create, receive or transmit protected health information (PHI) in behalf of a covered entity, but also maintains PHI. This means that companies or services that store information in electronic or physical format are considered business associates. According to the Omnibus Rule, most data transmission service providers are classified as business associates.
The HIPAA Conduit Exception rule was also defined in the HIPAA Omnibus Final Rule. It stated that some vendors do not need to sign a business associate agreement. This exception rule is limited to entities that transmit PHI but have no access to the transmitted information or the stored copies. The entities only serve as conduits through which PHI flows.
Examples of entities covered by the HIPAA Conduit Exception Rule are the US Postal service and private couriers like UPS, Fed-Ex, DHL and their electronic equivalents. Internet Service Providers that provide simple data transmission services are also conduits. Simply put, the HIPAA Conduit Exception Rule is applicable only to PHI transmission-only services. Should the conduit store PHI, it must be transient and not persistent in nature.
Some service providers say that they do not access transmitted information. It’s not enough to say that to be classified as a conduit. A conduit does not have access to PHI; transmitted information is stored temporarily; and it does not hold the key to unlock encrypted data. Some misclassified vendors as conduits are email service providers, cloud service providers, fax service providers and SMS/messaging service providers. These are not conduits and need business associate agreements with a covered entity before proving services used with PHI. Some fax service providers claimed they are conduits because they serve as electronic equivalent of USPS, but they are not covered by the HIPAA Conduit Exception Rule. Faxes store information and the storage is not transient.
Many misclassified vendors as a conduit rather than a business associate have been penalized by the Department of Health and Human Services’ Office for Civil Rights because they have disclosed PHI without signing a BAA first. In 2017, the following paid OCR to resolve business associate agreement failures:
- Center for Children’s Digestive Health – $31,000
- Care New England Health System – $400,000
- North Memorial Health Care of Minnesota – $1,550,000
- Oregon Health & Science University – $2,700,000