Will Misunderstandings Around The HIPAA Conduit Exception Rule Result In Organizations Failing The Phase 2 Audits?

The following is a guest blog post by Gene Fry from Scrypt, Inc.
Gene Fry - HIPAA Expert
In January 2013, the HHS defined the ‘conduit exception’ as part of the HIPAA Omnibus Final Rule, which was created to strengthen the privacy and security protections for health information.

The HIPAA conduit exception rule is applicable to providers of conduit services who do not have access to protected health information (PHI) on a routine basis. This means that they do not have to sign a Business Associate Agreement (BAA). However, some providers who do not fall under this definition are still claiming that they are HIPAA compliant. It is crucial that healthcare organizations understand exactly what this rule means, and how it may affect them if selected for an audit, or if a breach should occur.

What is a HIPAA Business Associate Agreement?
There are a number of providers who state they offer HIPAA compliant solutions for transmitting or storing PHI, and yet they are unwilling to sign a BAA.

As stated in the HIPAA Privacy and Security Rules, a business associate is defined as:

“[a] Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”

Therefore, any organization or business that handles personal health information is considered to be a business associate and must sign a BAA. As this acts as a contract between a HIPAA covered entity and a business associate, without one, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant.

Phase 2 HIPAA audits are due to begin in early 2016, and the transmission and storage of PHI is likely to be an area that the Office of Civil Rights (OCR) focus on as a result of large numbers of noncompliance being reported in the phase 1 audits conducted in 2012. While the phase 1 audits applied only to covered entities, in this round, business associates will also be subject to audits by OCR. This means that business associates can be held accountable for data breaches, and penalized accordingly for noncompliance.

Every covered entity must have a BAA in place with the organization responsible for PHI managed on their behalf. Without it, like a weak link in the chain, the whole system becomes noncompliant.

When does the exception rule apply?
There are instances where the HIPAA conduit exception rule does apply. For entities that simply transport or transmit PHI (such as the United States Postal Service, couriers, and their electronic equivalents) who do not have routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended, the HIPAA conduit exception rule is likely to apply.

The rule is rather confusing and open to interpretation when it comes to electronic protected health information (ePHI), as occasional, random access by a data transmission entity does not necessarily make the entity a HIPAA business associate. An example of an organization which would not require a BAA would be an ISP, as they review whether ePHI being transmitted over its network is arriving to its intended destination, but do not access or store the data.

Random or infrequent access defined by the HIPAA rules is explained in the preamble to the rules, which explicitly states that the “mere conduit” exception, is intended to include organizations that deal with “any temporary storage of transmitted data incident to such transmission.” It is the ‘temporary storage’ terminology used in the rule that healthcare organizations often misinterpret.

The preamble defines the distinction between transmission (including incidental storage associated with such transmission) and ongoing storage. The difference between those two situations “is the transient versus persistent nature of” the opportunity to access PHI. This means that a data storage company that has access to PHI still qualifies as a business associate, even if the entity does not view the information – or only does so on a random or infrequent basis.

Be wary of providers who refuse to sign a BAA
If a provider is unwilling to sign a BAA, the advice from David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division, is “If they refuse to sign, don’t use the service”.

However, providers are citing the HIPAA conduit exception rule as the reason that a BAA is not required. By stating that they are acting as a ‘simple conduit for information’, they are stipulating that they are excluded from the definition of a business associate. This effectively absolves the provider of signing a BAA, and gets them off the compliance hook, while putting their customers at risk of not being compliant.

An entity that manages the transmission and storage of PHI, such as a HIPAA compliant cloud hosting company, or a HIPAA compliant fax or messaging provider does have more than “random access” to PHI – meaning that they do meet the definition of a HIPAA business associate. Any organization that is transmitting and receiving information that includes PHI falls into the category of business associates – and should be willing to sign a BAA.

Some providers will not sign a BAA because they claim to only offer what they call a “conduit service” – technically making them able to state that they are HIPAA compliant, although this is untrue in many cases. In addition to offering services that relate to the transmission and storage of PHI, they may also include a guarantee that they will disable automatic forwarding of messages to email, disable SMS texting, and will delete all faxes, voicemails and recordings after a short period to get out of signing the BAA.

Providers who offer a range of telecommunications services – some of which are purely conduit – may also refuse to sign a BAA for customers only requiring data transmission services due to the fact that their fax and SMS services are not actually HIPAA compliant. Again, these providers claim that they are HIPAA compliant because they can provide purely conduit services as part of their offering.

How can I ensure compliance when selecting a provider?

  • Never select a provider who is unwilling to sign a BAA.
  • Be wary of providers who refer to the HIPAA conduit exception rule if they will have access to ePHI – even if it is random or infrequent
  • Ask the provider to prove its track record of safeguarding ePHI
  • Check that the provider is able to demonstrate that their staff are trained in HIPAA compliance

When selecting a provider, if they are truly HIPAA compliant, they will sign a business associate agreement because they are required to, and they should demonstrate a willingness to comply. A BAA acts as the a contract between a HIPAA covered entity and a business associate, and without one, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant. Be wary of organizations that hide behind the conduit exception rule, or you may find your organization bears the brunt of OCR audits should a breach occur.

About Gene Fry
Gene joined the Scrypt, Inc. family in October of 2001. He has 25 years of IT experience working in industries such as healthcare and for companies based in the U.S. and in Latin America. Gene is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute. In addition, he is certified as a HIPAA Privacy and Security Compliance Officer by the Identity Management Institute, as an Electronic Health Record Specialist Certification (CEHRS™) through the National Health Career Association and he holds a Gramm-Leach Bliley Act (GLBA) certification from BridgeFront and J.J Kellers.  In his spare time, Gene rides a Harley Davidson as part of the Austin, Texas Chapter.

About the author

Guest Author

Guest Author


  • Gene,
    What would be your thoughts on how this rule would pertain to a multi tenant datacenter who provides space, power and bandwidth to a covered entity. (CE) The datacenter is passive, does not provide any other IT services, the CE has another IT company that provides all services for applications and security.The CE has a telecom circuit extended to their cabinet by the datacenter but does not “provide” the circuit. There would be a limited number of employees in the datacenter that could have the “keys” to the CE’s cabinet but would only access it in an emergency. Would the datacenter require a BAA?

  • Jim,
    I’ll let some of the other experts that read this answer, but as I read the rule and I were that datacenter I would want to have a BAA in place. Or I guess I should say if I was someone hosting with that data center, I’d want the data center to have a BAA in place. They have physical access to the machine (as you mention) where data is stored at rest. I think it’s a really hard case to make that they’re just a conduit. Although, I know some data centers who argue the opposite way. I just wouldn’t host with them. I’d love to hear what other experts think.

  • Again, this goes back to whether the data is encrypted and if so, who has the key.

    MU Stage 2 addressed, but didn’t require, database encryption of an EHR.

    I expect it to become a requirement.

    Either way, ensuring your DB is encrypted is the conservative thing to do…that is, IF your EHR can handle this, which is an entirely new topic.

    BUT – if your data is encrypted, and the data center does not have access to the encryption key, then the safe harbor rule would apply.

  • Hi Jim,

    If the data is not encrypted and the data center has access or data is stored on any server that is in their centers a BAA is required regardless if they have access or not.

    If data is encrypted meaning all of the data which includes any files and the database, then even if the data center has access it could possibly pass the conduit test.

    It is always safer to be on the more compliant side and if it were me making a decision I would get a BAA regardless.

    The limited number having access to CE encryption keys could still lead to an issue even at the data center and again. I would say a BAA is needed.


  • Let’s keep this simple as we can ‘what-if’ this to death:
    When we say data is encrypted, we are talking all data, both in transmission and at rest.
    When we say the encryption key is NOT shared, that means only the practice has the key.

    Now, I approach compliance in a very conservative manner. I don’t disagree that if you can get a BAA signed, get it…but a practice needs to realize that a BAA is no longer a the safety blanket it once was. There is an implied expectation that a practice has done due diligence on that BAA partner, so a simple signing of a form doesn’t cut it…this is another topic.

    Given the above, if the data is encrypted and the key is not shared, it is then reasonable to NOT have a BAA. This is just like a laptop, that is encrypted, being lost/stolen. Safe Harbor is in place.

Click here to post a comment