1. Home
  2. |Insights
  3. |Conduit Exception Remains Narrow Under New HIPAA Rule

Conduit Exception Remains Narrow Under New HIPAA Rule

Client Alert | 2 min read | 01.29.13

On January 25, 2013, the Department of Health and Human Services issued the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules ("Final Rule"). The Final Rule addresses the status of data management organizations by amending the definition of a Business Associate and clarifying the definition of Health Information Organizations (HIO). The Final Rule designates as business associates: (1) a Health Information Organizations (HIO)*, E-prescribing Gateways, or other persons that provide data transmission services involving PHI to a covered entity and that requires routine access to such PHI; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity (i.e., a personal health record vendor or PHV). 

In taking this step, HHS rejected comments from personal health vendors and data storage companies seeking to expand the conduit exception to cover arrangements in which an entity stores, but does not normally access, PHI that it maintains on behalf of a covered entity.

HHS declined to provide a bright line for defining what constitutes "routine access," but clarified that the conduit exception is intended to exclude only those entities providing courier services, such as the U.S. Postal Service or United Parcel Service and their electronic data transmission equivalents, such as internet service providers (ISPs).

HHS distinguished between the type of access a conduit might need to perform a transportation service, and the access an entity such as an HIO might require to perform a service specifically on behalf of a covered entity. "The transient versus persistent nature" of the opportunity to access PHI is a meaningful distinction that confers business associate status on entities that have access to PHI when they store or warehouse data for eventual transmission to and use by others. (HHS did not address what constitutes "access" to PHI utilizing various technologies employed by data storage vendors to protect the security and accessibility of data, sometimes from the vendor’s own workforce.)

To address whatever ambiguity was present in the rule, HHS also modified the definition of "business associate" to provide that a business associate includes a person who "creates, receives, maintains, or transmits" (emphasis added) PHI on behalf of a covered entity.

HHS also addressed when a PHV would be providing a personal health record "on behalf of" a covered entity (as opposed to providing a service directly to an individual). If a covered entity hires a vendor to provide and manage a personal health record service the covered entity offers to its patients or enrollees, and provides the vendor with access to PHI, the PHV is a business associate. In contrast, a purely  interoperability relationship that simply establishes  the technical specifications for exchanging of data would not normally make a PHV a business associate.


*HHS deleted references to Regional HIOs in favor of HIO, of which RHIOs are a subset.  


Insights

Client Alert | 2 min read | 09.03.25

DOJ and DHS Announce Cross-Agency Trade Fraud Task Force

On August 29, 2025, the Department of Justice (DOJ) and the Department of Homeland Security (DHS) launched a cross-agency Trade Fraud Task Force to expand efforts to target importers and other parties committing trade-related fraud. As stated in a press release issued on August 29, the Task Force will augment the existing coordination mechanisms within the DOJ and DHS, for instance through partnerships with CBP and Homeland Security Investigations, to “aggressively” take enforcement measures against parties that commit tariff evasion or attempt to smuggle prohibited goods into the U.S....