HIPAA Conduit Exception Rule

HIPAA Conduit Exception Rule

The HIPAA Conduit Exception Rule applies to service providers that cannot be considered business associates, since they don’t have any way of accessing or storing electronic protected health information (ePHI) transmitted through their platform. However, it can be difficult to make the determination of whether or not a service provider is considered a conduit.

What is the HIPAA Conduit Exception Rule?

The Omnibus Final Rule created standards to define what is considered a conduit. The purpose of the HIPAA Conduit Exception Rule is to determine whether or not there needs to be a signed business associate agreement (BAA) to use a vendor in conjunction with ePHI.

The Department of Health and Human Services (HHS) states:

We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.

The HIPAA Conduit Exception Rule applies to organizations such as the United States Postal Service, UPS, DHL, and Fedex. Internet Service Providers (ISPs) are also covered under the conduit exception. 

There is a misconception that fax providers, email providers, text messaging platforms, and cloud service providers (CSPs) are also classified as conduits. However, this is not the case, these types of services are considered business associates, therefore, require signed business associate agreements before they can be used for HIPAA compliant communication.

The Department of Health and Human Services (HHS) provides this guidance in reference to CSPs:

Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.

Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.

For a service to be classified as a conduit they can only temporarily store data transmitted through their platform, and must be encrypted, preventing the conduit from accessing data in transit.