Understanding the HIPAA conduit exception rule
In January 2013, the “conduit exception” rule was defined as part of the HIPAA Omnibus Final Rule, which set new requirements for business associates (BA). It continues, however, to cause confusion for hospitals that may be signing up providers who manage their protected health information (PHI), but aren’t fully HIPAA compliant. In this guest post, Gene Fry, VP of technology and compliance officer at a company that streamlines paper-intensive processes, and protects sensitive and business-critical information, helps hospitals understand what the rule means, who it applies to, and how it may affect organizations in the case of an audit or a breach.
The rule applies to very few organizations that come in contact with PHI. Examples of when the rule would apply would be entities that simply transport or transmit PHI, such as:
- United States Postal Service
- Couriers and their electronic equivalents, and
- Internet service providers (ISPs).
Even though these entities come into contact with PHI, they don’t have routine access to it and disclosure isn’t intended.
A very important part of the exception rule is found in the preamble. It explicitly states that the mere conduit exception is intended to include organizations that deal with “any temporary storage of transmitted data incident to such transmission.”
It continues to define the distinction between transmission (including incidental storage associated with such transmission) and ongoing storage. The difference between those two situations “is the transient vs. persistent nature of” the opportunity to access PHI.
This rule would therefore apply to an ISP. An ISP will review whether ePHI is being transmitted over its network in order to confirm it’s arriving to its intended destination, but doesn’t access or store the data.
The conduit exception rule doesn’t apply to a provider who offers faxing, SMS, email or storage of ePHI, as any provider offering these services are considered to be BAs.
All BAs must sign a business associate agreement (BAA) with the covered entity (CE) they’re providing services to. A provider who doesn’t sign a BAA can’t be held accountable for protecting the PHI it’s handling or transmitting. This means the whole system becomes noncompliant, and the CE will be held responsible should a breach occur.
Definition of a BA according to HIPAA
The HIPAA Privacy and Security Rules defines a BA as:
“[a] Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”
Therefore, any organization that handles PHI (including for transmission or storage purposes on behalf of a CE) is considered to be a BA and must sign a BAA. The BAA is a contract between a HIPAA CE and a BA, and without one they’re not HIPAA compliant.
An entity that manages the transmission and storage of PHI, such as a HIPAA compliant cloud hosting company, or a HIPAA compliant fax, email or SMS provider does require access to PHI on a routine basis – meaning they fall under the definition of a HIPAA BA.
Avoid providers who refuse to sign BAAs
David Holtzman, formerly of the HHS’s Office for Civil Rights (OCR), Privacy Division stated:
“If a provider offers a business associate agreement, it is willing to stand behind its compliance and say in writing that it has the proper privacy and security controls in place. If your business is going to use a vendor that stores PHI on your behalf, you must have a business associate agreement in place. If they refuse to sign, don’t use the service.”
Providers who are unwilling to sign a BAA may say they’re acting as a “simple conduit for information” so they’re excluded from the definition of a BA. They may also include a guarantee that they will disable automatic forwarding of messages to email, disable SMS texting, and will delete all faxes, voicemails and recordings after a predetermined period. By citing this rule, the provider is absolved from signing a BAA, which excludes them from having to be HIPAA compliant. This is despite the fact they’ll be putting the CE at risk of noncompliance, even though they have more than random or infrequent access to PHI.
Phase 2 audits
The transmission and storage of PHI is likely to be an area that OCR focus on as a result of large numbers of noncompliance being reported in the phase 1 HIPAA audits.
The Phase 2 HIPAA audits are due to begin in early 2016, and unlike the phase 1 audits, have been extended to apply to CEs and their BAs. This means that BAs can be held accountable for data breaches, and penalized for noncompliance. If you don’t have a BAA with your provider, your organization could find itself subject to hefty penalties.
Any provider that states they are fully HIPAA compliant will sign a BAA with you, and if they don’t, you’re putting your organization and patients’ data at risk.
By Gene Fry
Originally Published January 5, 2016
Healthcare Business & Technology
Understanding the HIPAA conduit exception rule