What is the HIPAA Conduit Exception Rule?

What is the HIPAA Conduit Exception Rule - HIPAAGuide.net

The HIPAA Conduit Exception Rule exempts organizations that provide transmission services from qualifying as business associates when access to Protected Health Information during the provision of a service is temporary. HHSโ€™ Office for Civil Rights describes transmission services of this nature as having โ€œtransientโ€ access to PHI rather than โ€œpersistentโ€ access (78 FR 5566).

In 2009, Congress enacted the HITECH Act โ€“ Subtitle D of which made business associates directly liable for compliance with certain requirements of the HIPAA Rules. This requirement of the HITECH Act was implemented in the HIPAA Omnibus Rule of 2013. Prior to the publication of the HIPAA Omnibus Rule there was a lengthy consultation period, during which the question of who qualifies as a business associate was frequently raised.

In the context of the HIPAA Conduit Exception Rule, several questions related to ยง13408 of the HITECH Act. This section requires covered entities to enter into Business Associate Agreements with organizations that provide data transmission services when the organizations or services have access to Protected Health Information (PHI) on a โ€œroutine basisโ€. As PHI can be oral, paper, or digital, this section needed careful clarification.

The HIPAA Conduit Exception Rule Explained

In the preamble to the HIPAA Omnibus Rule (78 FR 5566), HHSโ€™ Office for Civil Rights confirmed that data transmission organizations that do not require access to PHI on a routine basis would not be treated as business associates. The agency noted โ€œentities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates.โ€

In response to the question of what is considered a โ€œroutine basisโ€, the HHSโ€™ Office for Civil Rights gave the example of an organization that manages the exchange of PHI through a network (i.e., a cloud storage solution such as Microsoft OneDrive). In the example, the organization would need โ€œmore than random access to PHIโ€ (i.e. โ€œroutineโ€) to provide a service for a covered entity and so would fall within the definition of a business associate.

The agency further elaborated on its answer by explaining that the HIPAA Conduit Exception Rule only applies when any temporary storage of PHI is incidental to the transmission service (whether digital or hard copy). HHSโ€™ Office of Civil Rights described incidental access as โ€œtransientโ€ access and listed courier services such as the U.S. Postal Services and their digital equivalent (ISPs) that would not qualify as business associates.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Business Associates with No View Access to PHI

The preamble to the HIPAA Omnibus Rule also resolved an issue regarding data transmission services that have โ€œno viewโ€ access to PHI โ€“ for example, because PHI is encrypted and the covered entity maintains the decryption key. (Note: this issue also applies to rented physical storage services of paper PHI when the key to the location(s) in which paper PHI is stored is maintained by the covered entity).

Explaining that such services have โ€œpersistentโ€ access to PHI, HHSโ€™ Office for Civil Rights announced the definition of business associates in ยง160.103 was being amended so the definition applies to entities who create, receive, maintain, or transmit PHI for or on behalf of a covered entity. (Italics added for emphasis). The amended definition also applies to subcontractors who provide services to business associates.

This leaves a very narrow band of service providers who do not qualify as a business associate due to the HIPAA Conduit Exception Rule. However, there is no definitive list of โ€œconduit exceptionsโ€ because whether a Business Associate Agreement is necessary is a fact specific determination based on the nature of the service being provided and the nature of access to PHI necessary to provide the service to a covered entity.

Although the HIPAA Conduit Exception Rule only applies in limited circumstances, it is important that members of the workforce are made aware of the exception during HIPAA training to avoid scenarios in which PHI is impermissibly transmitted by unsanctioned apps and services. Organizations who are unsure whether they or a service provider are exempted from HIPAA compliance due to the HIPAA Conduit Exception Rule should seek compliance advice.

About Daniel Lopez

Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through HIPAAcoach.com or https://twitter.com/DanielLHIPAA