Will Misunderstandings Around The HIPAA Conduit Exception Rule Result In Organizations Failing The Phase 2 Audits?

Posted on December 14, 2015 I Written By

The following is a guest blog post by Gene Fry from Scrypt, Inc.
Gene Fry - HIPAA Expert
In January 2013, the HHS defined the ‘conduit exception’ as part of the HIPAA Omnibus Final Rule, which was created to strengthen the privacy and security protections for health information.

The HIPAA conduit exception rule is applicable to providers of conduit services who do not have access to protected health information (PHI) on a routine basis. This means that they do not have to sign a Business Associate Agreement (BAA). However, some providers who do not fall under this definition are still claiming that they are HIPAA compliant. It is crucial that healthcare organizations understand exactly what this rule means, and how it may affect them if selected for an audit, or if a breach should occur.

What is a HIPAA Business Associate Agreement?
There are a number of providers who state they offer HIPAA compliant solutions for transmitting or storing PHI, and yet they are unwilling to sign a BAA.

As stated in the HIPAA Privacy and Security Rules, a business associate is defined as:

“[a] Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”

Therefore, any organization or business that handles personal health information is considered to be a business associate and must sign a BAA. As this acts as a contract between a HIPAA covered entity and a business associate, without one, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant.

Phase 2 HIPAA audits are due to begin in early 2016, and the transmission and storage of PHI is likely to be an area that the Office of Civil Rights (OCR) focus on as a result of large numbers of noncompliance being reported in the phase 1 audits conducted in 2012. While the phase 1 audits applied only to covered entities, in this round, business associates will also be subject to audits by OCR. This means that business associates can be held accountable for data breaches, and penalized accordingly for noncompliance.

Every covered entity must have a BAA in place with the organization responsible for PHI managed on their behalf. Without it, like a weak link in the chain, the whole system becomes noncompliant.

When does the exception rule apply?
There are instances where the HIPAA conduit exception rule does apply. For entities that simply transport or transmit PHI (such as the United States Postal Service, couriers, and their electronic equivalents) who do not have routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended, the HIPAA conduit exception rule is likely to apply.

The rule is rather confusing and open to interpretation when it comes to electronic protected health information (ePHI), as occasional, random access by a data transmission entity does not necessarily make the entity a HIPAA business associate. An example of an organization which would not require a BAA would be an ISP, as they review whether ePHI being transmitted over its network is arriving to its intended destination, but do not access or store the data.

Random or infrequent access defined by the HIPAA rules is explained in the preamble to the rules, which explicitly states that the “mere conduit” exception, is intended to include organizations that deal with “any temporary storage of transmitted data incident to such transmission.” It is the ‘temporary storage’ terminology used in the rule that healthcare organizations often misinterpret.

The preamble defines the distinction between transmission (including incidental storage associated with such transmission) and ongoing storage. The difference between those two situations “is the transient versus persistent nature of” the opportunity to access PHI. This means that a data storage company that has access to PHI still qualifies as a business associate, even if the entity does not view the information – or only does so on a random or infrequent basis.

Be wary of providers who refuse to sign a BAA
If a provider is unwilling to sign a BAA, the advice from David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division, is “If they refuse to sign, don’t use the service”.

However, providers are citing the HIPAA conduit exception rule as the reason that a BAA is not required. By stating that they are acting as a ‘simple conduit for information’, they are stipulating that they are excluded from the definition of a business associate. This effectively absolves the provider of signing a BAA, and gets them off the compliance hook, while putting their customers at risk of not being compliant.

An entity that manages the transmission and storage of PHI, such as a HIPAA compliant cloud hosting company, or a HIPAA compliant fax or messaging provider does have more than “random access” to PHI – meaning that they do meet the definition of a HIPAA business associate. Any organization that is transmitting and receiving information that includes PHI falls into the category of business associates – and should be willing to sign a BAA.

Some providers will not sign a BAA because they claim to only offer what they call a “conduit service” – technically making them able to state that they are HIPAA compliant, although this is untrue in many cases. In addition to offering services that relate to the transmission and storage of PHI, they may also include a guarantee that they will disable automatic forwarding of messages to email, disable SMS texting, and will delete all faxes, voicemails and recordings after a short period to get out of signing the BAA.

Providers who offer a range of telecommunications services – some of which are purely conduit – may also refuse to sign a BAA for customers only requiring data transmission services due to the fact that their fax and SMS services are not actually HIPAA compliant. Again, these providers claim that they are HIPAA compliant because they can provide purely conduit services as part of their offering.

How can I ensure compliance when selecting a provider?

  • Never select a provider who is unwilling to sign a BAA.
  • Be wary of providers who refer to the HIPAA conduit exception rule if they will have access to ePHI – even if it is random or infrequent
  • Ask the provider to prove its track record of safeguarding ePHI
  • Check that the provider is able to demonstrate that their staff are trained in HIPAA compliance

When selecting a provider, if they are truly HIPAA compliant, they will sign a business associate agreement because they are required to, and they should demonstrate a willingness to comply. A BAA acts as the a contract between a HIPAA covered entity and a business associate, and without one, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant. Be wary of organizations that hide behind the conduit exception rule, or you may find your organization bears the brunt of OCR audits should a breach occur.

About Gene Fry
Gene joined the Scrypt, Inc. family in October of 2001. He has 25 years of IT experience working in industries such as healthcare and for companies based in the U.S. and in Latin America. Gene is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute. In addition, he is certified as a HIPAA Privacy and Security Compliance Officer by the Identity Management Institute, as an Electronic Health Record Specialist Certification (CEHRS™) through the National Health Career Association and he holds a Gramm-Leach Bliley Act (GLBA) certification from BridgeFront and J.J Kellers.  In his spare time, Gene rides a Harley Davidson as part of the Austin, Texas Chapter.