HIPAA classifies entities involved in transmitting protected health information (PHI) based on their level of access to and interaction with the information. Specifically for Internet service providers (ISPs), HIPAA identifies them as either business associates or mere conduits. How does classification hinge on the frequency and nature of the ISP's access to PHI?
What are feedback loops?
In healthcare information technology, a feedback loop is a system where patient data and healthcare information continuously circulate among various stakeholders, such as healthcare providers, patients, and technology platforms, to enhance care delivery and patient outcomes. This loop allows for the constant updating and sharing of patient information, which aids in making timely and informed medical decisions.
ISPs play a role in facilitating these feedback loops by providing the necessary network infrastructure and data transmission services. They ensure the seamless and secure flow of healthcare information across different platforms and users. By offering reliable and high-speed internet connectivity, ISPs enable real-time data exchange.
See also: What is a business associate agreement?
The criteria for determining if an ISP is considered a business associate
The criteria for determining if an ISP is considered a business associate, particularly when involved in feedback loops, are centered on the nature of the ISP's interaction with PHI. These criteria include:
- Routine access to PHI: If the ISP has regular or routine access to PHI during data transmission, it may be classified as a business associate.
- Nature of services provided: If the services go beyond mere data transmission and include processing or storing PHI, then the ISP could be considered a business associate. This is in contrast to ISPs that provide passive transmission services like simple data carriage, which might qualify them as "mere conduits."
- Contractual relationships: If there is an agreement between the ISP and a covered entity (such as a healthcare provider or insurer) that involves the handling of PHI, and the ISP performs functions or activities on behalf of, or provides services to, the covered entity that involves the use or disclosure of PHI, the ISP would be designated as a business associate.
- Incidental access to PHI: If an ISP's access to PHI is incidental and not a part of its primary service, it might not be considered a business associate. However, if incidental access occurs regularly as part of the service, the ISP could fall under the business associate category.
- Temporary storage of data: If the ISP is involved in temporary storage of PHI as part of data transmission (such as caching), the nature of this storage (temporary vs. persistent) and whether it's a necessary part of the transmission service will be evaluated to determine if the ISP is a business associate.
See also: How to know if you’re a business associate
The 'mere conduit' exception and how it applies to ISPs
The mere conduit exception specifically applies to entities that transmit PHI but do not access, store, or otherwise interact with it beyond what is necessary for transportation. ISPs typically fall under this category, as their primary role is to provide data transmission services. If an ISP merely acts as a pipeline for data - akin to a digital equivalent of a postal service - without routinely accessing or storing the PHI, it is not considered a business associate under HIPAA. This means ISPs that function solely as conduits are exempt from the stringent privacy and security requirements imposed on business associates. However, if an ISP's services extend beyond simple data passage, such as temporarily storing PHI, or access to unencrypted PHI, they may not qualify for this exception and thus would be subject to HIPAA's regulations for business associates.
See also: HIPAA Compliant Email: The Definitive Guide
Kirsten Peremore
