HIPAA, Business Associates, and the Conduit Exception

By Kim Stanger

The HIPAA privacy and security rules impose significant requirements on covered entities and their business associates; violations may result in penalties ranging from $119 to $59,522 per violation. (45 CFR § 160.404; 45 CFR § 102.3; 85 FR 2879). “Business associates” are generally those entities that create, receive, maintain or transmit protected health information (“PHI”) on behalf of a covered entity (45 § CFR 160.103, definition of business associate); thus, most entities that handle data for healthcare providers or their business associates will become business associates and subject to HIPAA requirements, including data storage, data transmission, and cloud services providers unless an exception applies.

Conduit Exception. In its Omnibus Rule commentary, HHS concluded that entities that do not have access to PHI on a routine basis (i.e., entities that are mere “conduits” for PHI) are not business associates or subject to HIPAA:

Regarding what it means to have “access on a routine basis” to [PHI] with respect to determining which types of data transmission services are business associates versus mere conduits, such a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to [PHI] to perform the service for the covered entity. The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services. As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. For example, a telecommunications company may have occasional, random access to [PHI] when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to [PHI] would not qualify the company as a business associate. In contrast, an entity that requires access to [PHI] in order to perform a service for a covered entity, such as a Health Information Organization that manages the exchange of [PHI] through a network on behalf of covered entities through the use of record locator services for its participants (and other services), is not considered a conduit and, thus, is not excluded from the definition of business associate….

We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information. We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information. However, the difference between the two situations is the transient versus persistent nature of that opportunity. For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. To help clarify this point, we have modified the definition of ‘‘business associate” to generally provide that a business associate includes a person who ‘‘creates, receives, maintains, or transmits” (emphasis added) protected health information on behalf of a covered entity.

…We also clarify that the same interpretations that apply to determining whether a first tier contractor is a business associate also apply to determining whether a subcontractor is a business associate. Thus, our interpretation of who is and is not excluded from the definition of business associate as a conduit also applies in the context of subcontractors as well. We refer readers to the above discussion regarding transmission services and conduits.

(78 FR 5571-72, 74; see also 65 FR 82476 and https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html (“the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.”)).

The OCR has also posted the following FAQ addressing the conduit exception:

Are the following entities considered “business associates” under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?

Answer: No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information. A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.

(https://www.hhs.gov/hipaa/for-professionals/faq/245/are-entities-business-associates/index.html; see also https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html (“Other Situations in Which a Business Associate Contract Is NOT Required. … With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.”).

The Net Effect. Although the “conduit” exception is helpful to entities wishing to avoid business associate status, the scope of the exception is narrow and is often misunderstood or misapplied. Covered entities and business associates should carefully consider its scope before relying on the exception. When in doubt, the safest course for covered entities is to require a business associate agreement.