Chapter 2 of the Guide to Reliable Internet Services and Applications notes, “An Internet Service Provider (ISP) is a telecommunications company that offers its customers access to the Internet.”
ISPs’ involvement in feedback loops under HIPAA hinges on their role and access to PHI; those with direct access or control over PHI data are classified as business associates with consequent HIPAA obligations, while others serving merely as data conduits may not be directly regulated by HIPAA but still must follow best security practices to avoid data breaches.
HIPAA classifies entities involved in processing PHI into covered entities and business associates. ISPs, when acting as intermediaries that facilitate electronic data transmission but do not have access to the content of the health data, are generally not classified as covered entities under HIPAA.
If ISPs participate in feedback loops that involve processing, storing, or maintaining health-related data in ways that give them access to PHI, they could be classified as business associates under HIPAA.
Based on an Assessment & Evaluation in Higher Education journal article provided insight into the definition of feedback as well as when exactly a feedback loop comes into existence, “Defining and conceptualising feedback is contested territory. The view of Hattie and Timperley (Citation2007) is that feedback involves information about performance or understanding with the information coming from a range of sources…When information leads to actions, a feedback loop is said to be closed.”
In healthcare information technology, a feedback loop is a system where patient data and healthcare information continuously circulate among various stakeholders, such as healthcare providers, patients, and technology platforms, to enhance care delivery and patient outcomes. This loop allows for the constant updating and sharing of patient information, which aids in making timely and informed medical decisions.
ISPs play a role in facilitating these feedback loops by providing the necessary network infrastructure and data transmission services. They ensure the seamless and secure flow of healthcare information across different platforms and users. By offering reliable and high-speed internet connectivity, ISPs enable real-time data exchange.
See also: What is a business associate agreement?
According to Chapter 4 of Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research a business associate is defined as, “the Privacy Rule allows covered entities to disclose PHI without individual authorization to its “business associates,” which are defined as persons or entities that perform, on behalf of the covered entity, certain functions or services20 that require the use or disclosure of PHI, provided adequate safeguards are in place.”
The criteria for determining if an ISP is considered a business associate, particularly when involved in feedback loops, are centered on the nature of the ISP's interaction with PHI. These criteria include:
See also: How to know if you’re a business associate
A paper by Dr. Ofer Zur, published by the ZUR Institute, defines the concept, “Services may be exempted from the Business Associate rule if they qualify as a conduit (i.e., a service that simply moves PHI from one place to another). For companies to qualify as conduits, they must never persistently store any PHI and must not be able to view the PHI they are transmitting.”
The mere conduit exception specifically applies to entities that transmit PHI but do not access, store, or otherwise interact with it beyond what is necessary for transportation. ISPs typically fall under this category, as their primary role is to provide data transmission services.
If an ISP merely acts as a pipeline for data - akin to a digital equivalent of a postal service - without routinely accessing or storing the PHI, it is not considered a business associate under HIPAA. This means ISPs that function solely as conduits are exempt from the stringent privacy and security requirements imposed on business associates.
If an ISP's services extend beyond simple data passage, such as storing PHI even temporarily, or if they have access to unencrypted PHI, they may not qualify for this exception and thus would be subject to HIPAA's regulations for business associates.
See also: HIPAA Compliant Email: The Definitive Guide
HIPAA is a law that protects the privacy and security of individuals' health information managed by healthcare providers, insurers, and their business associates.
ISPs, or Internet Service Providers, are companies that provide services for accessing, using, or participating in the Internet.
Feedback loops in healthcare also exist in patient care (patient feedback on treatment effectiveness), quality improvement programs (staff evaluations and process adjustments), and in electronic health records systems (alerts for drug interactions and guideline updates).