HIPAA conduit exception rule
The HIPAA conduit exception rule is only applicable to providers of
purely conduit services who do not have access to protected health
information (PHI) other than infrequently or randomly. For this reason,
conduit providers do not have to sign a Business Associate Agreement
(BAA). But what exactly is a conduit service, and when does the HIPAA
conduit exception rule apply?
Who is considered to be a conduit?
Any entities that simply transport or transmit PHI such as the United States Postal Service and couriers, (as they do not have routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended) are considered to be a conduit.
When it comes to electronic protected health information (ePHI), it can be difficult for healthcare organizations to differentiate between which providers are conduits, and which are not. Occasional, random access by a data transmission entity does not necessarily make the entity a HIPAA business associate, and this is where it gets confusing.
An ISP (internet service provider) is a conduit, as they review whether ePHI being transmitted over its network is arriving to its intended destination, but do not access or store the data; however, a cloud fax, SMS or email provider is considered to be a business associate, as they transmit ePHI on behalf of a covered entity.
When does the HIPAA conduit exception rule apply?
This is where the preamble to the rule comes in. The preamble explicitly states that the “mere conduit” exception is intended to include organizations that deal with “any temporary storage of transmitted data incident to such transmission.” The preamble goes on to define the distinction between transmission (including incidental storage associated with such transmission) and ongoing storage.
The key difference between these two situations “is the transient versus persistent nature of” the opportunity to access PHI.
Who is considered to be a conduit?
Any entities that simply transport or transmit PHI such as the United States Postal Service and couriers, (as they do not have routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended) are considered to be a conduit.
When it comes to electronic protected health information (ePHI), it can be difficult for healthcare organizations to differentiate between which providers are conduits, and which are not. Occasional, random access by a data transmission entity does not necessarily make the entity a HIPAA business associate, and this is where it gets confusing.
An ISP (internet service provider) is a conduit, as they review whether ePHI being transmitted over its network is arriving to its intended destination, but do not access or store the data; however, a cloud fax, SMS or email provider is considered to be a business associate, as they transmit ePHI on behalf of a covered entity.
When does the HIPAA conduit exception rule apply?
This is where the preamble to the rule comes in. The preamble explicitly states that the “mere conduit” exception is intended to include organizations that deal with “any temporary storage of transmitted data incident to such transmission.” The preamble goes on to define the distinction between transmission (including incidental storage associated with such transmission) and ongoing storage.
The key difference between these two situations “is the transient versus persistent nature of” the opportunity to access PHI.
Comments
Post a Comment