What Is a “Conduit” and When Do They Cross The HIPAA BA Line? [1]
As health information organizations (HIOs) start to facilitate secure networked health information exchange (HIE), the question of whether the HIO is or is not a HIPAA business associate (BA) almost always comes up. In the beginning stages of networked HIE, an HIO often plays a very limited role in the actual exchange of health information. The HIO do not access, maintain or store patient data at all. Instead, encrypted data is routed directly from a trusted source to the authorized user requesting the patient data. Therefore, the HIO behaves more like a “conduit” as described by the Department of Health and Human Services (HHS) in HIPAA.
However, as data exchange activities become more robust, the HIO may increasingly become involved in overseeing, managing and storing patient data on behalf of its trusted participating organizations. At that time, the HIO begins to transition and act in a new capacity as a HIPAA BA. This also requires the HIO to then put in place a HIPAA-compliant BA Agreement and to comply in full with the HIPAA Security Rule and certain other requirements made applicable to it by the Health Information Technology for Clinical and Economic Health Act (HITECH). As such, it is important to understand if an HIO’s activities are limited to those of a conduit, and to recognize when they cross the HIPAA BA “line”. This blog post reviews HIPAA’s definitions of “conduit” and “business associate” as well as suggests one approach to allow an HIO to transition from its initial “conduit” role to a HIPAA BA role when appropriate.
A HIPAA “business associate” is any person or entity that “creates, receives, maintains or transmits” protected health information (PHI) when performing “health care operations” and other activities for or on behalf of a covered entity. See 45 CFR § 160.103. A business associate is required to comply directly with certain provisions of the HIPAA Privacy and Security Rules, including, but not limited to, maintaining written HIPAA security and other policies. Business associates must also enter into a written business associate agreement (HIPAA BAA) with each covered entity they provide business associate services to.
The movement of PHI through or facilitated by an HIO implicates a business associate relationship because, by definition, a business associate includes,
“[a] Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.” (emphasis added)
See 45 CFR § 160.103.
This provision was added to the HIPAA business associate definition by HITECH to hold HIOs accountable as HIPAA business associate where they transmit PHI and perform other functions for and on behalf of a covered entity.
However, the Office for Civil Rights (OCR) and Department of Health and Human Services (HHS) have historically recognized a limited exception to the business associate relationship for certain entities that simply transport or transmit PHI. Entities such as the United States Postal Service, couriers, and their electronic equivalents transport but do not have routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended. See www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/245.html. These entities have been and are treated by OCR and HHS as “conduits” through which PHI is transported, not business associates. As reiterated by the Preamble to the Final HITECH Rule,
“The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services [and their electronic equivalents.] As we have stated in prior guidance, a conduit transports information, but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.”
78 Federal Register pg 5571 (emphasis added).
Therefore, the occasional, random access by a data transmission entity does not make the entity a HIPAA business associate. The Preamble to the Final HITECH Rule gives the example of a telecommunications company which may have access to PHI when it reviews whether data being transmitted over its network is arriving to its intended destination. See 78 Federal Register pgs 5571-5572.
Conversely, an entity that manages the exchange of PHI through a network, including record locator services and various oversight and governance functions, has more than “random access” and would therefore meet the definition of a HIPAA business associate. See 78 Federal Register pg 5571. Furthermore, while there may be a few exceptions, any entity that “maintains” PHI (i.e., provides data hosting of any kind) is almost always considered a business associate, even if the entity does not actually access the PHI given the persistent nature of that opportunity versus transient only. 78 Federal Register pg 5572.
HIOs and entities that act as health information service providers (HISPs) can appropriately be treated as “conduits” and not business associates where the only services and functions they provide relate to data transmission or routing of point-to-point encrypted messages. According to DIRECT Project [2] protocols, best practice standards, and related guidance for HISPs and secured health transport, a HISP which provides mere transmission or routing functions is not a HIPAA business associate. Likewise, a HISP that transports only data that has already been encrypted by a sender and will remain encrypted until received by the intended recipient will not be considered a HIPAA business associate unless it otherwise has access to unencrypted PHI on a routine basis or possess decryption keys or other mechanisms.
Therefore, a HIPAA BA relationship is generally not implicated by an HIO, HISP or similar entity simply performing just fully encrypted data routing or transmission activities for a covered entity. A HIPAA BA relationship will, however, be found where such HIO, HISP or similar entity performs more than such limited activities, such as, for example, data aggregation, processing, hosting and transmission (other than as a conduit), encryption/decryption functions/management, record locator/querying functions, auditing and other oversight and governance functions requiring access to PHI, and creating data sets of de-identified information. See 45 CFR § 160.103 and § 164.103. Such activities will cause a conduit to “cross” the HIPAA BA “line” and trigger HIPAA BA obligations, including compliance with applicable provisions of the HIPAA Security Rule, written security policies and procedures, and written BAAs, among others. But what should an HIO and its participants do during the transition period between when an HIO is functioning as a conduit but before it engages in full-out HIPAA BA activities?
One approach to this issue is to put in place a “springing” HIPAA BA between the HIO and its participating organizations. Such a “springing” HIPAA BAA essentially requires the HIO to fully comply with HIPAA’s requirements applicable to business associates at such time when the HIO crosses the line from supporting data exchange as a mere conduit to more integrally supporting, accessing, managing and supporting such data exchange as a HIPAA BA. The HIO is thereby required to regularly and closely evaluate its activities and be prepared to already be fully compliant with HIPAA (i.e., the Security Rule) as soon as it crosses the HIPAA BA line.
[1] This article first appeared as a Guest Column in HealthShare Exchange of Southeastern PA’s “Connector” Newsletter. HealthShare Exchange is a collaboration of stakeholders representing over 30 hospitals and healthsystems and several health plans in the five-county region of greater Philadelphia. HSX was created for the purpose of enabling the electronic exchange of patient data in order to improve healthcare outcomes in the region. Learn more about HealthShare.
[2] DIRECT Project is a federal and stakeholder initiative aimed at establishing standards and documentation to support sending encrypted health data and messages to known recipients. For more information, visit http://directproject.org/home.php.