Spears Legal Technology

Disclaimer

This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

When Do Conduits Cross the HIPAA Business Associates Line?

The Legal Health Information Exchange has published a lengthy article that examines the boundaries of the HIPAA Conduit Exception as they apply to Business Associates (BAs) who also handle Personal Health Information (PHI). BAs were first explicitly brought under parts of HIPAA’s regulatory umbrella as a result of the 2009 HITECH Act, and more explicitly with the release of last year’s Omnibus Rule.

The Preamble to the Final HITECH Rule states:

“The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services [and their electronic equivalents.]  As we have stated in prior guidance, a conduit transports information, but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.”

Here’s a summary of the author’s conclusion.

Therefore, a HIPAA BA relationship is generally not implicated by an HIO, HISP or similar entity simply performing just fully encrypted data routing or transmission activities for a covered entity.  A HIPAA BA relationship
will, however, be found where such HIO, HISP or similar entity performs more than such limited activities, such as, for example, data aggregation, processing, hosting and transmission (other than as a conduit), encryption/decryption functions/management, record locator/querying functions, auditing and other oversight and governance functions requiring access to PHI, and creating data sets of de-identified information.

Read the whole article here.
blog comments powered by Disqus