Comprehensive Consulting for Mental Health and Wellness Professionals in Private Practice

 

Hello | My Account | Login
Our blog

The Blog

Occasional insights, inspirations, and recommendations for practice taming.

 

HIPAA Final Rule and the Conduit Exception

HIPAA Final Rule and the Conduit Exception

Help me determine the focus of future content!  Please take this brief survey.

As most are aware by now, the new "Omnibus" rule for HIPAA was released this year.  With hundreds of pages, experts are still sifting through it to determine what it all means.  While this "final rule" was intended to clarify things, especially with regard to HITECH and the Security Rule, in true HIPAA fashion it still left some things open to interpretation.  Worse than that, there appears to be some seemingly conflicting information.  Needless to say, legal experts have been hotly debating some of the finer points of these clarifications.

Probably the hottest topic is the expansion of the definition of Business Associate and the clarification of the Conduit Exception.  If you're not really interested in the details and just want the summary, you may want to skip to the last paragraph.

First, a business associate is any entity that a covered entity allows to create, receive, maintain, or transmit Protected Health Information (PHI).  That's pretty inclusive.  The final rule has even expanded this to include sub contractors of anyone that is a business associate.  Where it gets tricky, and potentially confusing, is with the Conduit Exception.

According to the final rule, "The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.”

Later in the rule it is stated, "We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information. We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information. However, the difference between the two situations is the transient versus persistent nature of that opportunity."

The potential confusion lies in the definitions of “temporary storage”, “transient versus persistent”, and the statement “even if the entity does not actually view the protected health information”.  Even in a later clarification, the rule states, “As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.” which seems to indicate a conduit may have access to the information.  Yet previously they stated that someone may be termed a Business Associate even if they don't ever access the PHI.

Reading this and and seeing the numerous conversations among experts that weren't conclusive, I placed a call to an authority on the matter.

In essence, it was stated that both access AND encryption are vital to someone applying the conduit exception. They must only be transmitting the data and must have ZERO access to that information  This means that they 1) cannot store copies of any part of the data along the way (encrypted or not) and 2) must not have access to the encryption key used to secure and open the data “package”.  Here is the snippet of the interview that was approved by OCR and published in Counseling Today:

In my interview with Senior Health IT and Privacy Specialist, David Holtzman, JD, CIPP/G , I focused on three questions:

1) The primary thing I'm seeking is a clarification of exactly when the conduit rule applies since many application vendors are claiming it does. 
[Mr. Holtzman:] Both access and encryption are vital to organizations applying the conduit exception. They must only be transmitting the data and must have zero access to that information to qualify for an exception. This means that they 1) cannot store copies of any part of the data along the way (encrypted or not) and 2) must not have access to the encryption key used to secure and open the data “package.”  The determining factor is whether data is encrypted from A to B and that the transmission medium doesn't have the key.

2) How might this apply to Dropbox, for example, since people could place encrypted PHI there without Dropbox having the key?
[Mr. Holtzman:] There is a persistent vs. transient nature to that situation since the data does rest on the Dropbox servers for some period of time.

3) Will web-based services such as Gmail (web-based email), Skype (video chat), and other Internet services become de facto business associates under the Final Rule if a covered entity uses them to store, maintain, or transfer PHI?
[Mr. Holtzman:] Yes, they would.

Note that when OCR speaks of “persistent” vs. “transient” they mean in relation to the PHI itself.  When a service is simply transferring data, much like a telephone line or Internet provider, their access to the data is temporary, or transient.  When they store all or part of the data package for any length of time, however, that situation is termed persistent.  Mr  Holtzman also noted that further clarifications will be coming in the future. User friendly information like they've previously presented on mobile devices (http://bit.ly/Xj2JEs) could be very helpful in clarifying the many questions brought about by the publication of the Final Rule.

It's my understanding that further clarifications will be coming from DHHS/OCR that will hopefully address this confusion.  User friendly information like they've previously presented on mobile devices would go a long way toward alleviating the potential confusion.

What does all of this mean in application?  If you are a Covered Entity, and you use a tool to create, receive, maintain, or transmit Protected Health Information (PHI), then the vendor of that tool is a Business Associate (whether they want to be or not). This means that, not only do you need to have a Business Associate Agreement with them (and their subcontractors), but they can be held responsible for following HIPAA law.  The only exception is through the conduit rule that requires the entity to be one that:  a) only transmits the encrypted PHI and  b) never has access to the encryption key.  This means that tools like web-based email programs (Gmail, Yahoo Mail), file storage programs (Dropbox), and video chat applications, where the conduit exception doesn't apply, are all de facto business associates.  What remains to be seen is how those applications will respond to the law considering they historically have deemed themselves not business associates and do not sign Business Associate Agreements.

Note that the final rule is effective March 26, 2013.  Covered Entities (“CEs”) and Business Associates (“BAs”) must comply with the applicable requirements by September 23, 2013.

 


Rob Reinhardt, LPC, PA

Rob is a Licensed Professional Counselor in private practice and
owner of Tame Your Practice, which provides comprehensive
consulting to mental health and wellness professionals.

©2013 Rob Reinhardt, LPC, PA 

 

 

Share This: 

Comments

Roy Huggins, MS NCC's picture
Submitted by Roy Huggins, MS NCC on Wed, 02/20/2013 - 13:49

"The only exception is through the conduit rule that requires the entity to be one that: a) only transmits the encrypted PHI and b) never has access to the encryption key."

If this plays out to be accurate as written, there goes Skype's argument that they aren't a Business Associate!

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Wed, 02/20/2013 - 13:57

Exactly, Roy. Since Skype issues the encryption key, they technically have the ability to access the data themselves. I'm very curious to see how entities like Skype will respond to this issue. Whether they will continue to employ their own legal interpretation or whether they will adapt.

Roy Huggins, MS NCC's picture
Submitted by Roy Huggins, MS NCC on Wed, 02/20/2013 - 14:01

Also, it is well documented that Skype provides law enforcement with access to calls, so Skype themselves must be able to breach the call security.

My money is on them not adapting the core Skype product. I see too much liability potential and investment needed for Skype to start specifically addressing health care. What may be likely is that they spin off of a telehealth-oriented version that costs to use rather than being free. With VSee on the scene, they may have to do that to compete for our (growing) market.

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Wed, 02/20/2013 - 14:05

Agreed. Perhaps more likely is, if they see a market for it, they would buy VSee rather than invest the time and money in trying to compete with it.

Katie's picture
Submitted by Katie on Tue, 09/10/2013 - 22:49

Hi Rob, in this article, you mention that you are expecting updated information/clarification about the 'data at rest'? Have you received updated information? Does **encrypted** data on something like dropbox, where the 3rd party doesn't have access to the keys, still need a BAA?
thank you!
Katie

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Wed, 09/11/2013 - 11:26

Hi Katie,

Since originally publishing my interview with the OCR rep, I'm not aware of anything changing. What you're asking is a bit of a grey area. With something like VSee, a video platform, where they don't have access to the encryption key, things seem to be a-ok. But part of that is because there is not data "at rest".

Dropbox is different because, as the OCR rep stated, there is a "persistent vs. transient" nature to the data. In other words, the data sits on Dropbox's servers for an unspecified amount of time. According to the OCR rep, this creates a Business Associate relationship, encryption or not.

I wish it weren't the interpretation as it reduces our choices and increases our expenditures, but if you want to be sure to be in compliance, that is their current interpretation.

Roy Huggins, MS NCC's picture
Submitted by Roy Huggins, MS NCC on Wed, 09/11/2013 - 12:14

If Rob will permit me:

Katie, this issue has been a vexation for much of the year. Some companies are starting to offer business associate contracts, however. More info on that situation here: http://www.linkedin.com/groups/Sep-23-HIPAA-Compliance-Deadline-4203297....

Katie's picture
Submitted by Katie on Wed, 09/11/2013 - 13:51

Thanks Rob. The 'encrypted data at rest is not okay' thing seems especially confusing to me because of the OCR message that a lost/stolen portable device isn't a problem if all the PHI on it is encrypted. It's like 'encryption=safety' in one setting but not in the other. Am I wrong about that inconsistency?

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Wed, 09/11/2013 - 13:56

Well, I would agree that there are some inconsistencies in the law and how it is interpreted. However, the key difference in what you're talking about is this. In order to be exempt from Breach Notification (what you're talking about) the entire drive of the laptop/computer/portable device must be encrypted. Since services like Dropbox store files from multiple users on their drive, even though your files themselves might be encrypted, the drive itself that they sit on is probably not. Similarly, if you only encrypt specific files or folders on your device, you are not exempt from Breach Notification.

Robert Johannes's picture
Submitted by Robert Johannes on Fri, 01/03/2014 - 12:44

Rob,

Thanks so much for this writing, it really helps put this rather obscure rule into better perspective as it is currently written and perceived. I do think there will be some interesting tests along the way to moderation, since both the electronic world is most definitively falling into the BAA category, at least in part, and the physical mail providers, depending on their treatment of encryption and the key, may actually fall into the conduit exception category, at least for the electronic portion of their business.

The real problem, and I do not mean anything derogatory toward DHHS, is that this is a very technically challenging portion of the electronic file business, ePHI or any secure data, to understand it's flow, it's composition and where it resides and where it doesn't (or for how long). We could find electronic providers with data residing in cloud servers for days or weeks (or even permanently) in trying to comply with disaster recovery and business continuity concerns. Conversely, we could find a print provider with data existing for mere minutes in the transmission of data to it's end usage.

So who is in more in violation of current OMNIBUS rules and who looks more like a conduit exception? It's an interesting problem, and one we are actively trying to get clarification on, as we reside in both the electronic and physical sides of the business.

You advice, counselor?

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Fri, 01/03/2014 - 17:34

Great points and questions, Robert. I believe HIPAA/HITECH is something that will continue to be a living document, like most laws/legislation. There's the law, and then there's the interpretation, implementation, and enforcement of the law. Inevitably, there is then case law that contributes to all of the above. Two of the significant challenges here are that a) HIPAA was intentionally left "vague" in parts to provide flexibility and b) we don't have much case law or anything else to go on to determine how interpretations will be applied to real life situations.

Most enforcement up until now has been focused on clear violations and negligence. It remains to be seen how these nuanced interpretations will play out in an actual court room or even a simple investigation.

Roy Huggins, MS NCC's picture
Submitted by Roy Huggins, MS NCC on Sat, 01/04/2014 - 16:06

I've also noticed that OCR does not seem as aware of the technical consequences of their interpretations of the law as CMS is/was. They are also focused on very big picture issues such as HIEs, and not so much on the "low to the ground" consequences such as use of email, PayPal-type services, etc. I think it will be a while before we see any interpretations or case law at that level.

Rebekah's picture
Submitted by Rebekah on Thu, 03/13/2014 - 11:34

Has anyone heard discussions around whether or not cell phone aggregators and/or carriers are required to consider themselves Business Associates? They are an electronic version of the US Postal service and telephone service, but lets face reality, anything electronic will be stored for a temporary amount of time. The US Post office holds on to a letter for days and it isn't encrypted, so not sure how they are fitting the exception either...

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Thu, 03/13/2014 - 11:39

Hi Rebekah,

Great question. As with so many of these issues, there isn't any case law to clarify things. Don't hold me to this, but this is what I recall seeing as the "common sense" thoughts on cell phones and ePHI. If we're talking about voice communications, voice mails, etc. what I generally hear is that there isn't a BA situation since the communication doesn't originate as electronic. ePHI tends to refer to data that originates as electronic and then is transmitted.

When you get into text/SMS messages and capabilities of smart phones, that's another story since the ePHI may originate as electronic data. Since it's doubtful any of the major carriers will ever enter into a BAA, however, it's left to the CEs to do what they can, like have informed consent with clients who are going to engage in such communications.

Rebekah's picture
Submitted by Rebekah on Thu, 03/13/2014 - 11:49

This is the same line of reasoning I was heading down as well, so it's good to see someone else applying common sense. Although, on this one, I feel like I could easily argue either side but I would be arguing "words" and I understand the technical elements of delivering a text combined with HIPAA. I see this as another instance of rules applied to technology where technology is not understood by the rule makers.

Very informative site, thanks for sharing your knowledge.

Pages

Add new comment


Note: Anonymous comments are moderated. To better make and track comments, you may create an account.
Read our policies: Comment Policy Terms of Service Privacy Policy