What is the HIPAA Conduit Exception Rule?

HIPAA

The HIPAA Conduit Exception Rules exempts entities that provide transmission services from qualifying as business associates when the entities’ access to protected health information during the provision of the transmission service is temporary. HHS’ Office for Civil Rights describes transmission services of this nature as having “transient” access to PHI rather than “persistent”.

The HIPAA Omnibus Final Rule updated the definition of a business associate. Aside from creating, receiving or transmitting protected health information (PHI) for a covered entity, a business associate additionally keeps PHI. This indicates that organizations or service providers that store data in electronic or physical form are viewed as business associates. As per the Omnibus Rule, the majority of service providers that transmit data are categorized as business associates.

The HIPAA Conduit Exception rule was likewise described in the HIPAA Omnibus Final Rule. It mentioned that certain vendors need not enter into a business associate agreement. This exception rule is restricted to covered entities that transfer PHI yet does not have access to the sent data or the saved copies. The covered entities just act as conduits where PHI passes.

The entities to which the HIPAA Conduit Exception Rule apply are the US Postal service and privately owned couriers such as UPS, DHL, Fed-Ex and other electronic equivalents. Internet Service Providers (ISPs) that offer basic data transmission services are likewise conduits. In other words, the HIPAA Conduit Exception Rule applies simply to PHI transmission-only service providers. If the conduit saves PHI, it ought to be transient and not persistent in character.

Several companies say that they don’t gain access to the delivered info. That is not enough to be categorized as a conduit. A conduit doesn’t get access to PHI; sent data is often saved in the short term; and it doesn’t have the key that will unlock encrypted files. Many misclassified providers as conduits include email providers, cloud service companies, fax companies and SMS/messaging companies. These are definitely not conduits and must have BAA with a covered entity prior to offering services used in combination with PHI. A number of fax companies professed they are conduits since they work as electronic equivalent of USPS, however are not subject to the HIPAA Conduit Exception Rule. Faxes save info and the storage isn’t temporary.

A lot of mistakenly classified vendors as a conduit instead of a business associate were fined by the Department of Health and Human Services’ Office for Civil Rights since they have exposed PHI without affixing their signature to a BAA first. In 2017, these healthcare providers had to pay OCR a certain amount to settle the violation:

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Oregon Health & Science University paid $2,700,000

North Memorial Health Care of Minnesota paid $1,550,000

Center for Children’s Digestive Health paid $31,000

Care New England Health System paid $400,000

Penalty Charges for Miscategorizing a Business Associate as a Conduit

Any vendor which has regular access to PHI is regarded as a business associate. All business associates should sign a BAA with the HIPAA-covered entity prior to providing PHI or giving access to PHI. Miscategorizing a vendor as a conduit instead of a business associate could cause a substantial financial charge, considering that PHI will have been exposed without first signing a BAA.

The Department of Health and Human Services’ Office for Civil Rights has penalized a lot of covered entities which were found to give PHI access to a vendor without having a signed BAA. In 2017, the Center for Children’s Digestive Health paid OCR $31,000 to settle this type of violation. In 2016, Care New England Health System resolved its case of HIPAA violation for $400,000, North Memorial Health Care of Minnesota spent $1,550,000 and Oregon Health & Science University resolved a case for $2,700,000.

About Daniel Lopez
Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through HIPAAcoach.com or https://twitter.com/DanielLHIPAA