BA Exemption: The HIPAA Conduit Exception Rule and Transmission of PHI
The HIPAA Conduit Exception Rule applies to organizations that would normally be considered business associates, but who are exempted from complying with HIPAA because they only have transient access to PHI. For the benefit of HIPAA compliance, it is important to understand the difference between transient access, persistent access, and no view access.
The HIPAA Omnibus Final Rule and Business Associates
On January 25, 2013, the HIPAA Omnibus Final Rule was published in the Federal Register. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including updates attributable to the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The HIPAA Omnibus Final Rule also confirmed that most data transmission service providers are also classed as business associates.
What is the HIPAA Conduit Exception Rule?
The HIPAA Conduit Exception Rule was defined in the preamble to the HIPAA Omnibus Final Rule. The Rule allows HIPAA-covered entities to use certain vendors without having to enter into a business associate agreement. The HIPAA Conduit Exception Rule is narrow and excludes an extremely limited group of entities from having to enter into business associate agreements with covered entities. The Rule applies to entities that transmit PHI but do not have “persistent” access to the transmitted information and do not store copies of data. They simply act as conduits through which PHI flows.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HIPAA Conduit Exception Rule covers organizations such as the US Postal Service and certain other private couriers such as Fed-Ex, UPS, and DHL as well as their electronic equivalents. Companies that simply provide data transmission services, such as Internet Service Providers (ISPs), are considered conduits.
The HIPAA Conduit Exception Rule is limited to transmission-only services for PHI. If PHI is stored by a conduit, the storage must be transient in nature, and not persistent. In some circumstances, it may be important to include an explanation of this distinction in HIPAA training.
It does not matter if a service provider says they do not have access to stored or transmitted information (also known as “no view” access). To be considered a conduit, the service provider must only store transmitted information temporarily.
Vendors that are often misclassified as conduits are email service providers, fax service providers, cloud service providers, and messaging service providers. These service providers are NOT considered conduits and all must enter into a business associate agreement with a covered entity prior to the service being used in conjunction with any PHI.
Some service providers claim that they are conduits when they are not, in order to avoid having to sign a business associate agreement. Certain electronic fax service providers have claimed they are conduits, and while they appear at face value to be an electronic equivalent to an organization such as the US Postal Service, they are not covered by the HIPAA Conduit Exception Rule. Electronic fax services do not only send documents from the sender to the recipient. Faxes can be stored, and the storage is not considered transient.
Penalties for Misclassifying a Business Associate as a Conduit
Any vendor that has persistent access to PHI is considered a business associate (We have covered the definition of a HIPAA business associate on this page). All business associates must sign a business associate agreement with the HIPAA-covered entity before PHI is provided or access to PHI is granted.
Misclassifying a vendor as a conduit rather than a business associate can result in a significant financial penalty, since PHI will have been disclosed without first entering into a business associate agreement.
The Department of Health and Human Services’ Office for Civil Rights has financially penalized many covered entities that have been discovered to have disclosed PHI to a vendor without obtaining a BAA. In most cases, the lack of a Business Associate Agreement has been an exacerbating factor in the amount of the settlement, rather than the sole cause of the settlement.
For example, in 2024, Providence Medical Institute was fined $240,000 for Security Rule failings that included the failure to restrict access to PHI and enter into a Business Associate Agreement.
In 2023, MedEvolve Inc was fined $350,000 for impermissibly disclosing PHI to a service provider without having previously entered into a Business Associate Agreement.
In 2020, Athens Orthopedic Inc settled allegations of multiple HIPAA violations – including the failure to execute Agreements with Business Associates – for $1,500,000.
Further examples include – In 2017, the Center for Children’s Digestive Health settled with OCR for $31,000 to resolve business associate agreement failures. In 2016, Care New England Health System settled its HIPAA violation case for $400,000, North Memorial Health Care of Minnesota paid $1,550,000 and Oregon Health & Science University settled for $2,700,000.
