While I was doing research regarding Apple's FaceTime and whether or not it achieves HIPAA Compliance, I came across opinions on the internet that concluded FaceTime qualified under the HIPAA Conduit Exception Rule. Under this rule, the writers determined that FaceTime did not need to meet HIPAA guidelines and it was therefore HIPAA compliant. We know however, Business Associate Agreements are required by law and that HIPAA breaches can result from not signing BAAs with cloud vendors. We also know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector. I decided to dig deeper into the HIPAA Conduit Exception Rule to truly understand its meaning.
SEE RELATED: HIPAA Breaches and Cloud Providers
HIPAA Conduit Exception Rule Explained
The HIPAA Conduit Exception Rule was created by the HIPAA Privacy Rule in 2000. We can see under Section 160.103 - Definitions: We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information (e.g., the US Postal Service, certain private couriers and their electronic equivalents). A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.
HIPAA Conduit Exception Rule and Cloud Service Providers
Since a lot of time has elapsed since 2000, the obvious question arises: How do Cloud Services Providers (CSPs) like Apple, Amazon, Paubox, Google, and others fit into the HIPAA Conduit Exception Rule? We can reference a page on the HHS site called, Guidance on HIPAA & Cloud Computing for help. Question 3 states: Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules? Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key. As explained in previous guidance, the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI. Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.
HIPAA Conduit Exception Rule: Wrap UpThere are two sections in the above answer from HHS that catch my eye:
- First, a CSP qualifies as a Business Associate even if even it can't view the ePHI because it is encrypted and the CSP does not have the decryption key.
- Second, the conduit exception applies only where the only services provided to a Covered Entity or Business Associate customer are for transmission of ePHI that do not involve any storage of information.
I don't know of a single cloud-based software vendor that stores absolutely zero information on its users. Furthermore, the HIPAA Conduit Exception Rule was meant for ISPs (Internet Service Providers) and carriers like the US Postal Service.
To apply the conduit exception to a Cloud Services Provider like Apple and its FaceTime product is, in my opinion, an incorrect conclusion. Furthermore, we know that Apple is not in the business of signing Business Associate Agreements or being classified as a Business Associate with their consumer products. In conclusion, I believe the HIPAA Conduit Rule does not generally apply to Cloud Services Providers like Apple, Google, Microsoft and Paubox. Therefore, you should make sure to sign Business Associate Agreements with each of these companies and make sure the BAA covers the service you will be using in a HIPAA environment.