Don’t be fooled by HIPAA Conduit Exception Rules
When selecting a HIPAA fax provider, you’d think that companies who state they offer HIPAA compliant faxing solutions would be prepared to sign a Business Associate Agreement (BAA), right?
Well, you’d be wrong. Some cloud fax providers don’t sign a BAA. They advertise that they are HIPAA compliant, but according to the HIPAA Omnibus Rule of 2013, all business associates must sign a BAA to ensure that they, and their covered entity customers, are compliant. Without a BAA, you and your business associate are not HIPAA compliant.
Fact 1: The conduit exception rule applies to very few organizations that come into contact with PHI
An entity that simply transports or transmits PHI, but does not have regular access to PHI and disclosure of the PHI, may claim the ‘conduit exception”. Some examples would be the United States Postal Service, couriers, and their electronic equivalents.
An example of occasional or random access that would not require a BAA, is an internet service provider (ISP). They may transmit PHI over their network, but they do not access or store the data.
How is ‘random or infrequent access’ defined by the HIPAA rules? It explicitly states that the “mere conduit” exception is intended to include organizations that deal with “any temporary storage of transmitted data incident to such transmission.”
Fact 2: You are putting your organization at risk by not having a BAA in place
With the phase 2 HIPAA audits looming, business associates are subject to audits by the Office for Civil Rights (OCR). This also means that they are held accountable for data breaches and penalized for noncompliance. It is crucial that a covered entity has a BAA in place with any vendor that manages PHI on their behalf. Without this, the whole system becomes noncompliant.
Fact 3: Any organization transmitting, receiving, or storing PHI must sign a BAA
Whatever way you look at it, any organization that claims to offer HIPAA faxing will clearly be “transmitting” and “receiving” information that includes PHI, so they fall into the category of business associates – and should be willing to sign a BAA.
To get around having to sign the agreement, some providers will offer what they call a “conduit service” – technically making them able to state that they are HIPAA compliant. This will typically also include a guarantee that they will disable automatic forwarding of messages to email, disable SMS texting, and will delete all faxes, voicemails and recordings after a short period.
How can I find out if a provider is really HIPAA compliant?
Put simply, if your provider is fully HIPAA compliant they will sign a Business Associate Agreement (BAA) with you because they are required to, and will have no problem providing evidence that they are HIPAA compliant.
“If you use a cloud-based service, it should be your business associate. If they refuse to sign, don’t use the service.”
David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division
Scrypt, Inc. is proud to offer our document management platform designed for healthcare, Stak and our cloud faxing service, Sfax. Both services are fully HIPAA compliant – and we’re more than happy to sign a BAA!