HIPAA Conduit Exception Rule – what is it?

Featured image

Share this article

What is the HIPAA Conduit Exception Rule? - Paubox

While I was doing research regarding Apple’s FaceTime and whether or not it achieves HIPAA Compliance, I came across opinions on the internet that concluded FaceTime qualified under the HIPAA Conduit Exception Rule. Under this rule, the writers determined that FaceTime did not need to meet HIPAA guidelines and it was therefore HIPAA compliant.

We know however, Business Associate Agreements are required by law and that HIPAA breaches can result from not signing BAAs with cloud vendors.

We also know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

I decided to dig deeper into the HIPAA Conduit Exception Rule to truly understand its meaning.

SEE RELATED: HIPAA Breaches and Cloud Providers

HIPAA Conduit Exception Rule Explained

The HIPAA Conduit Exception Rule was created by the HIPAA Privacy Rule in 2000.

We can see under Section 160.103 – Definitions:

We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information (e.g., the US Postal Service, certain private couriers and their electronic equivalents). A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.

HIPAA Conduit Exception Rule and Cloud Service Providers

Since a lot of time has elapsed since 2000, the obvious question arises:

How do Cloud Services Providers (CSPs) like Apple, Amazon, Paubox, Google, and others fit into the HIPAA Conduit Exception Rule?

We can reference a page on the HHS site called, Guidance on HIPAA & Cloud Computing for help.

Question 3 states:

Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?

Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.

As explained in previous guidance,[14] the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.

Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.

HIPAA Conduit Exception Rule: Wrap Up

There are two sections in the above answer from HHS that catch my eye:

  • First, a CSP qualifies as a Business Associate even if even it can’t view the ePHI because it is encrypted and the CSP does not have the decryption key.
  • Second, the conduit exception applies only where the only services provided to a Covered Entity or Business Associate customer are for transmission of ePHI that do not involve any storage of information.

I don’t know of a single cloud-based software vendor that stores absolutely zero information on its users. Furthermore, the HIPAA Conduit Exception Rule was meant for ISPs (Internet Service Providers) and carriers like the US Postal Service.

To apply the conduit exception to a Cloud Services Provider like Apple and its FaceTime product is, in my opinion, an incorrect conclusion.

Furthermore, we know that Apple is not in the business of signing Business Associate Agreements or being classified as a Business Associate with their consumer products.

In conclusion, I believe the HIPAA Conduit Rule does not generally apply to Cloud Services Providers like Apple, Google, Microsoft and Paubox. Therefore, you should make sure to sign Business Associate Agreements with each of these companies and make sure the BAA covers the service you will be using in a HIPAA environment.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022