HIPAA Final Rule and the Conduit Exception
HIPAA Final Rule and the Conduit Exception
Help me determine the focus of future content! Please take this brief survey.
As most are aware by now, the new "Omnibus" rule for HIPAA was released this year. With hundreds of pages, experts are still sifting through it to determine what it all means. While this "final rule" was intended to clarify things, especially with regard to HITECH and the Security Rule, in true HIPAA fashion it still left some things open to interpretation. Worse than that, there appears to be some seemingly conflicting information. Needless to say, legal experts have been hotly debating some of the finer points of these clarifications.
Probably the hottest topic is the expansion of the definition of Business Associate and the clarification of the Conduit Exception. If you're not really interested in the details and just want the summary, you may want to skip to the last paragraph.
First, a business associate is any entity that a covered entity allows to create, receive, maintain, or transmit Protected Health Information (PHI). That's pretty inclusive. The final rule has even expanded this to include sub contractors of anyone that is a business associate. Where it gets tricky, and potentially confusing, is with the Conduit Exception.
According to the final rule, "The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.”
Later in the rule it is stated, "We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information. We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information. However, the difference between the two situations is the transient versus persistent nature of that opportunity."
The potential confusion lies in the definitions of “temporary storage”, “transient versus persistent”, and the statement “even if the entity does not actually view the protected health information”. Even in a later clarification, the rule states, “As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.” which seems to indicate a conduit may have access to the information. Yet previously they stated that someone may be termed a Business Associate even if they don't ever access the PHI.
Reading this and and seeing the numerous conversations among experts that weren't conclusive, I placed a call to an authority on the matter.
In essence, it was stated that both access AND encryption are vital to someone applying the conduit exception. They must only be transmitting the data and must have ZERO access to that information This means that they 1) cannot store copies of any part of the data along the way (encrypted or not) and 2) must not have access to the encryption key used to secure and open the data “package”. Here is the snippet of the interview that was approved by OCR and published in Counseling Today:
In my interview with Senior Health IT and Privacy Specialist, David Holtzman, JD, CIPP/G , I focused on three questions:
1) The primary thing I'm seeking is a clarification of exactly when the conduit rule applies since many application vendors are claiming it does.
[Mr. Holtzman:] Both access and encryption are vital to organizations applying the conduit exception. They must only be transmitting the data and must have zero access to that information to qualify for an exception. This means that they 1) cannot store copies of any part of the data along the way (encrypted or not) and 2) must not have access to the encryption key used to secure and open the data “package.” The determining factor is whether data is encrypted from A to B and that the transmission medium doesn't have the key.
2) How might this apply to Dropbox, for example, since people could place encrypted PHI there without Dropbox having the key?
[Mr. Holtzman:] There is a persistent vs. transient nature to that situation since the data does rest on the Dropbox servers for some period of time.
3) Will web-based services such as Gmail (web-based email), Skype (video chat), and other Internet services become de facto business associates under the Final Rule if a covered entity uses them to store, maintain, or transfer PHI?
[Mr. Holtzman:] Yes, they would.
Note that when OCR speaks of “persistent” vs. “transient” they mean in relation to the PHI itself. When a service is simply transferring data, much like a telephone line or Internet provider, their access to the data is temporary, or transient. When they store all or part of the data package for any length of time, however, that situation is termed persistent. Mr Holtzman also noted that further clarifications will be coming in the future. User friendly information like they've previously presented on mobile devices (http://bit.ly/Xj2JEs) could be very helpful in clarifying the many questions brought about by the publication of the Final Rule.
It's my understanding that further clarifications will be coming from DHHS/OCR that will hopefully address this confusion. User friendly information like they've previously presented on mobile devices would go a long way toward alleviating the potential confusion.
What does all of this mean in application? If you are a Covered Entity, and you use a tool to create, receive, maintain, or transmit Protected Health Information (PHI), then the vendor of that tool is a Business Associate (whether they want to be or not). This means that, not only do you need to have a Business Associate Agreement with them (and their subcontractors), but they can be held responsible for following HIPAA law. The only exception is through the conduit rule that requires the entity to be one that: a) only transmits the encrypted PHI and b) never has access to the encryption key. This means that tools like web-based email programs (Gmail, Yahoo Mail), file storage programs (Dropbox), and video chat applications, where the conduit exception doesn't apply, are all de facto business associates. What remains to be seen is how those applications will respond to the law considering they historically have deemed themselves not business associates and do not sign Business Associate Agreements.
Note that the final rule is effective March 26, 2013. Covered Entities (“CEs”) and Business Associates (“BAs”) must comply with the applicable requirements by September 23, 2013.
Rob Reinhardt, LPC, PA
Rob is a Licensed Professional Counselor in private practice and
owner of Tame Your Practice, which provides comprehensive
consulting to mental health and wellness professionals.
©2013 Rob Reinhardt, LPC, PA