The HIPAA Omnibus Rule of 2013 outlined the requirement for covered entities to have business associate agreements with any third party being used to directly or indirectly handle Protected Health Information.
At the same time, the concept of the HIPAA Conduit Exception was introduced. The HIPAA Conduit Exception enables a qualifying business to provide products or services to a HIPAA covered entity without a BAA (Business Associate Agreement). While the exception applies to a very limited number of businesses, a number of fax service vendors have begun using it as a tool to secure business from covered entities. This practice is being used by some fax service providers as a method to dodge the BAA and the liability that comes with it. More simply put, Non HIPAA compliant fax service vendors are generating revenue by putting healthcare organizations at risk.
In this post we answer a few of the questions we frequently get from HIPAA Covered Entities and other healthcare buyers on the subject.
Please note that this article focuses on the conduit exception in regard to fax services providers. The exception also impacts a number of other provider types which will not be covered in this post.
What is the HIPAA Conduit Exception?
There is a whole lot more to read on HIPAA conduit exceptions but essentially, it is an exception which allows qualifying businesses to supply products and services to covered entities (i.e. healthcare providers, health plans and health information clearing houses) WITHOUT the need for a business associate agreement.
Who qualifies as a HIPAA Conduit Exception?
The Department of Health and Human Services lists seven examples on their web site. We are focusing on the one relating to the delivery or transportation of protected health information.
“…a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.”
The DHHS’s use of the term “electronic equivalents” is primarily referring to ISPs (Internet Service Providers). ISPs are considered an a “conduit” because they simply “pass” [PHI] data from point A to point B. ISPs do not persistently store, access or provide access to the data they pass.
Do Fax Service Providers qualify?
No. Fax service providers do not qualify as a conduit exception. Fax providers do not simply pass a fax from Point A to Point B. Incoming and outgoing faxes are stored en route by the fax provider. In most cases, faxes remain stored on a fax service server until you delete them or the provider deletes them. As far as HIPAA is concerned, this model is characterized as “persistent storage” which means the provider is acting as more than just a conduit.
Do Fax Service providers qualify if they delete faxes after 30 days?
No they do not. Not only are the faxes considered to be persistently stored, users have direct access to the faxes during that thirty day period.
Some fax service providers claim they are HIPAA compliant and a HIPAA Conduit. How does that work?
It doesn’t. If a fax service provider is HIPAA compliant they will sign a business associate agreement and willingly take on the accountability which comes with it. HIPAA compliant providers will also be open to an audit request or willing to provide an SSAE16 SOC2 report from a qualified third party auditor.
It’s disappointing that certain fax service providers are using the HIPAA Conduit Exception as a means to generate revenue. By adopting this kind of tactic, they are luring buyers into using services which significantly increase the potential for compliance penalties.
Our Advice is simple:
1. Understand which vendors need a to sign a Business Associate Agreement.
2. Only do business with those who are prepared to sign a BAA.