Why Medical Couriers Never Qualify as Conduits Under HIPAA
Medical couriers never qualify as conduits under HIPAA because they are considered to have “operational access” to Protected Health Information (PHI), even when the only information visible to a driver is a name, an address, or a reference number.
The HIPAA Conduit Exception applies to entities who transmit PHI on behalf of a covered entity or business associate, who only have “transient” access to the information, and who do not store copies of data. They simply act as conduits through which PHI flows.
As conduits, qualifying entities do not have to enter into Business Associate Agreements, nor comply with applicable HIPAA standards. Examples of entities that qualify as conduits under HIPAA include the US Postal Service, FedEx, UPS, and Internet Service Providers.
The Difference between FedEx and Medical Couriers
The primary difference between FedEx and medical couriers is the nature of access drivers have to PHI. Whereas both FedEx drivers and medical courier drivers transport PHI from A to B, FedEx drivers do not interact with the information, and any access they have to PHI is purely incident to the primary purpose.
By comparison, medical couriers are specifically hired to transport PHI. To fulfil the role for which they have been engaged, medical courier drivers routinely handle paperwork attached to specimens, read patients names on labels, sign chain-of-custody forms, and verify identifiers at pick-up.
This is considered “operational access” to PHI, and explains why healthcare organizations, labs, and pharmacies require medical couriers to enter into Business Associate Agreements and comply with all applicable HIPAA standards before engaging a medical courier to deliver PHI on their behalf.
What about When Only a Name, Address, or Number is Visible?
Under HIPAA, names, addresses, and reference numbers are not, by themselves, Protected Health Information. These identifiers only become PHI when they are maintained in the same designated record set as individually identifiable health information relating to a patient’s past, present, or future care.
In the context of medical deliveries, names, addresses, and reference numbers on the outside of a package are the reference keys to individually identifiable health information inside the package. They are considered components of a designated record set and must be protected in the same way as the contents of the package.
This interpretation of the definition of a designated record set, together with the fact that medical couriers are specifically hired to transport PHI and that in order to fulfil that role they require operational access to PHI, explains why medical couriers never qualify as conduits under HIPAA.
