What is the HIPAA Conduit Exception Rule?
The HIPAA Conduit Exception Rule exempts organizations that provide transmission services from qualifying as business associates when access to Protected Health Information during the provision of a service is temporary. HHSโ Office for Civil Rights describes transmission services of this nature as having โtransientโ access to PHI rather than โpersistentโ access (78 FR 5566).
In 2009, Congress enacted the HITECH Act โ Subtitle D of which made business associates directly liable for compliance with certain requirements of the HIPAA Rules. This requirement of the HITECH Act was implemented in the HIPAA Omnibus Rule of 2013. Prior to the publication of the HIPAA Omnibus Rule there was a lengthy consultation period, during which the question of who qualifies as a business associate was frequently raised.
In the context of the HIPAA Conduit Exception Rule, several questions related to ยง13408 of the HITECH Act. This section requires covered entities to enter into Business Associate Agreements with organizations that provide data transmission services when the organizations or services have access to Protected Health Information (PHI) on a โroutine basisโ. As PHI can be oral, paper, or digital, this section needed careful clarification.
The HIPAA Conduit Exception Rule Explained
In the preamble to the HIPAA Omnibus Rule (78 FR 5566), HHSโ Office for Civil Rights confirmed that data transmission organizations that do not require access to PHI on a routine basis would not be treated as business associates. The agency noted โentities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates.โ
In response to the question of what is considered a โroutine basisโ, the HHSโ Office for Civil Rights gave the example of an organization that manages the exchange of PHI through a network (i.e., a cloud storage solution such as Microsoft OneDrive). In the example, the organization would need โmore than random access to PHIโ (i.e. โroutineโ) to provide a service for a covered entity and so would fall within the definition of a business associate.
The agency further elaborated on its answer by explaining that the HIPAA Conduit Exception Rule only applies when any temporary storage of PHI is incidental to the transmission service (whether digital or hard copy). HHSโ Office of Civil Rights described incidental access as โtransientโ access and listed courier services such as the U.S. Postal Services and their digital equivalent (ISPs) that would not qualify as business associates.
Business Associates with No View Access to PHI
The preamble to the HIPAA Omnibus Rule also resolved an issue regarding data transmission services that have โno viewโ access to PHI โ for example, because PHI is encrypted and the covered entity maintains the decryption key. (Note: this issue also applies to rented physical storage services of paper PHI when the key to the location(s) in which paper PHI is stored is maintained by the covered entity).
Explaining that such services have โpersistentโ access to PHI, HHSโ Office for Civil Rights announced the definition of business associates in ยง160.103 was being amended so the definition applies to entities who create, receive, maintain, or transmit PHI for or on behalf of a covered entity. (Italics added for emphasis). The amended definition also applies to subcontractors who provide services to business associates.
This leaves a very narrow band of service providers who do not qualify as a business associate due to the HIPAA Conduit Exception Rule. However, there is no definitive list of โconduit exceptionsโ because whether a Business Associate Agreement is necessary is a fact specific determination based on the nature of the service being provided and the nature of access to PHI necessary to provide the service to a covered entity.
Although the HIPAA Conduit Exception Rule only applies in limited circumstances, it is important that members of the workforce are made aware of the exception during HIPAA training to avoid scenarios in which PHI is impermissibly transmitted by unsanctioned apps and services. Organizations who are unsure whether they or a service provider are exempted from HIPAA compliance due to the HIPAA Conduit Exception Rule should seek compliance advice.