What is the HIPAA Conduit Exception Rule?

A lot of HIPAA covered entities are not aware of the HIPAA Conduit Exception Rule. Consequently, there are companies which are mistakenly classified as conduit when the truth is they are business associates. This violates the HIPAA rules and could be issued financial penalties.

The HIPAA Omnibus Final Rule, which was issued on January 25, 2014, updated the definition of a business associate. Aside from creating, receiving or transmitting protected health information (PHI) for a covered entity, a business associate additionally keeps PHI. This indicates that organizations or service providers that store data in electronic or physical form are viewed as business associates. As per the Omnibus Rule, the majority of service providers that transmit data are categorized as business associates.

The HIPAA Conduit Exception rule was likewise described in the HIPAA Omnibus Final Rule. It mentioned that certain vendors need not enter into a business associate agreement. This exception rule is restricted to covered entities that transfer PHI yet does not have access to the sent data or the saved copies. The covered entities just act as conduits where PHI passes.

The entities to which the HIPAA Conduit Exception Rule apply are the US Postal service and privately owned couriers such as UPS, DHL, Fed-Ex and other electronic equivalents. Internet Service Providers (ISPs) that offer basic data transmission services are likewise conduits. In other words, the HIPAA Conduit Exception Rule applies simply to PHI transmission-only service providers. If the conduit saves PHI, it ought to be transient and not persistent in character.

Several companies say that they don’t gain access to the delivered info. That is not enought to be categorized as a conduit. A conduit doesn’t get access to PHI; sent data is often saved in the short term; and it doesn’t have the key that will unlock encrypted files. Many misclassified providers as conduits include email providers, cloud service companies, fax companies and SMS/messaging companies. These are definitely not conduits and must have BAA with a covered entity prior to offering services used in combination with PHI. A number of fax companies professed they are conduits since they work as electronic equivalent of USPS, however are not subject to the HIPAA Conduit Exception Rule. Faxes save info and the storage isn’t temporary.

A lot of mistakenly classified vendors as a conduit instead of a business associate were fined by the Department of Health and Human Services’ Office for Civil Rights since they have exposed PHI without affixing their signature to a BAA first. In 2017, these healthcare providers had to pay OCR a certain amount to settle the violation:

Oregon Health & Science University paid $2,700,000

North Memorial Health Care of Minnesota paid $1,550,000

Center for Children’s Digestive Health paid $31,000

Care New England Health System paid $400,000

Penalty Charges for Miscategorizing a Business Associate as a Conduit

Any vendor which has regular access to PHI is regarded as a business associate. All business associates should sign a BAA with the HIPAA-covered entity prior to providing PHI or giving access to PHI. Miscategorizing a vendor as a conduit instead of a business associate could cause a substantial financial charge, considering that PHI will have been exposed without first signing a BAA.

The Department of Health and Human Services’ Office for Civil Rights has penalized a lot of covered entities which were found to give PHI access to a vendor without having a signed BAA. In 2017, the Center for Children’s Digestive Health paid OCR $31,000 to settle this type of violation. In 2016, Care New England Health System resolved its case of HIPAA violation for $400,000, North Memorial Health Care of Minnesota spent $1,550,000 and Oregon Health & Science University resolved a case for $2,700,000.