Conduit Exception Remains Narrow Under New HIPAA Rule

On January 25, 2013, the Department of Health and Human Services issued the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules ("Final Rule"). The Final Rule addresses the status of data management organizations by amending the definition of a Business Associate and clarifying the definition of Health Information Organizations (HIO). The Final Rule designates as business associates: (1) a Health Information Organizations (HIO)*, E-prescribing Gateways, or other persons that provide data transmission services involving PHI to a covered entity and that requires routine access to such PHI; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity (i.e., a personal health record vendor or PHV). 

In taking this step, HHS rejected comments from personal health vendors and data storage companies seeking to expand the conduit exception to cover arrangements in which an entity stores, but does not normally access, PHI that it maintains on behalf of a covered entity.

HHS declined to provide a bright line for defining what constitutes "routine access," but clarified that the conduit exception is intended to exclude only those entities providing courier services, such as the U.S. Postal Service or United Parcel Service and their electronic data transmission equivalents, such as internet service providers (ISPs).

HHS distinguished between the type of access a conduit might need to perform a transportation service, and the access an entity such as an HIO might require to perform a service specifically on behalf of a covered entity. "The transient versus persistent nature" of the opportunity to access PHI is a meaningful distinction that confers business associate status on entities that have access to PHI when they store or warehouse data for eventual transmission to and use by others. (HHS did not address what constitutes "access" to PHI utilizing various technologies employed by data storage vendors to protect the security and accessibility of data, sometimes from the vendor’s own workforce.)

To address whatever ambiguity was present in the rule, HHS also modified the definition of "business associate" to provide that a business associate includes a person who "creates, receives, maintains, or transmits" (emphasis added) PHI on behalf of a covered entity.

HHS also addressed when a PHV would be providing a personal health record "on behalf of" a covered entity (as opposed to providing a service directly to an individual). If a covered entity hires a vendor to provide and manage a personal health record service the covered entity offers to its patients or enrollees, and provides the vendor with access to PHI, the PHV is a business associate. In contrast, a purely  interoperability relationship that simply establishes  the technical specifications for exchanging of data would not normally make a PHV a business associate.

---

*HHS deleted references to Regional HIOs in favor of HIO, of which RHIOs are a subset.  

---