HIPAA Final Rule Confirms That ISPs Transmitting PHI Are Not Business Associates
Written by Joseph Lorenzo Hall
On January 25, 2013, the US Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) published a final rule updating regulations to the Health Insurance Portability and Accountability Act (HIPAA). One small but important part of the rule clarifies that those entities that serve as “mere conduits” for the transmission of protected health information (PHI) are not subject to HIPAA liability and obligations as business associates (BAs).
Even before this clarification, CDT thought that the HIPAA regulations did not cover Internet service providers (ISPs) providing transmission services to hospitals or other entities covered by HIPAA. HHS had previously issued guidance stating that “mere conduits” — physical courier services such as the US Postal Service and UPS as well as their “electronic equivalents” — were not business associates.See: “FAQ: Are the following entities considered ‘business associates’ under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?”, HHS’ Office of Civil Rights, available at: <a href= http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/245.html /a>; “Business Associates,” HHS Office of Civil Rights, available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html (Other Situations in Which a Business Associate Contract Is NOT Required: … With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.”). HHS had explained that a conduit “transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law.”
However, there had still been some concern about whether an entity providing PHI transmission services to a HIPAA-covered entity would be considered a BA. Providers of transmission services, including ISPs, faced inconsistent interpretations that created an uncertain playing field: if these service providers wanted to handle traffic from hospitals and doctors offices, which would undoubtedly include PHI, would they need to treat those transmissions differently or otherwise modify their business to comport with HIPAA?
In the final rule, published in the January 25, 2013 Federal Register, the definition of the term “business associate” in 42 CFR 160.103 states that “business associate” includes any person that “provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information ” (emphasis added). Consequently, entities providing transmission services are BAs only if they have actual access to PHI and such access is routine.
The explanatory material that accompanied the final rule (frequently called the “preamble”) provides more clues as to how OCR distinguishes between transmission service entities that routinely access PHI and those that are mere conduits with only “random or infrequent” access. First, the preamble explicitly says that the “mere conduit” exception, while narrow, is intended to exclude ISPs from coverage as BAs. (78 Fed. Reg. 5571.) Furthermore, the preamble states that the conduit exception includes “any temporary storage of transmitted data incident to such transmission.”
The explanatory text draws a sharp distinction between transmission (including incidental storage associated with such transmission) and ongoing storage. As explained in the preamble, “an entity that maintains [PHI] on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the [PHI].” The difference between those two situations “is the transient versus persistent nature of” the opportunity to access PHI. As an example, a data storage company that has access to [PHI] “qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.” (78 Fed. Reg. 5571–5572.)
The above analysis is not intended to substitute for the advice of legal counsel, but we believe the clarification is very positive and should allow ISPs to breath more easily.
The final regulations go into effect on March 26, 2013, and federal regulators will begin enforcement on September 25, 2013.