Demystifying the HIPAA Conduit Exception Rule

Demystifying HIPAA Exceptions

Demystifying the HIPAA Conduit Exception Rule

The HIPAA Omnibus Final Rule was published in the Federal Register on January 25, 2013. Since then, however, some rules were further clarified by the U.S. Department of Health and Human Services (HHS). On their website, the HHS provides guidance on the HIPAA Conduit Exception Rule, “The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI (electronic Patient Health Information) that do not involve any storage of the information other than on a temporary basis incident to the transmission service.” This exception is straightforward and logical: If protected ePHI is transmitted through a service, and that service does not store the information, then such a service can be classified as a conduit and is therefore an exception to the rule of having a Business Associate Agreement, or BAA, signed.

A clear example of non-electronic conduits that fall under this exception would be the postal service and other shipping entities. While they may hold an envelope containing sensitive patient information or X-rays, their role in the process is to get the envelope from origin to destination. A digital example is an internet service provider (ISP). HHS further clarifies that Cloud Services Providers (CSP) do not fall under the exception, “even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.” This distinction is important because it delineates a vendor from a conduit: therefore any cloud provider or a messaging provider (instant messages, emails, digital faxing, etc.) where the role is not “transient in nature” and has “persistent access to the ePHI” must have a Business Associates Agreement (BAA) signed and in place prior to the first transmission of ePHI.

HHS “does not endorse, certify, or recommend specific technology or products” and therefore they do not recommend a specific HIPAA-compliant cloud services provider. Here’s a tip: a good CSP must be able and willing to sign BAA agreements with their customers, certifying that they meet HHS’ definition of “a CSP that creates, receives, maintains, or transmits PHI on behalf of a covered entity or another business associate.” The HIPAA landscape requires careful thought to ensure that patient information is not breached and that protocols are followed per HHS’ guidelines.

The team at BizzSecure can help your business navigate the complexities with achieving HIPAA compliance and our EAID Solution can evaluate the level of risk your organization faces and help remediate any issues. Stay tuned for more.