When selecting a company to manage and transmit PHI on your organization’s behalf, you may assume that those that state they offer HIPAA compliant solutions would be prepared to sign a Business Associate Agreement (BAA). However, this assumption may well be wrong, as some providers will refuse to sign a BAA on the grounds of the HIPAA conduit exception rule.
While they may state that they are HIPAA compliant, the HIPAA Omnibus Rule of 2013 says otherwise, as all business associates must sign a BAA to ensure that they, and their covered entity customers, are compliant. Without a signed BAA in place, you and your business associate are not HIPAA compliant, and could be subject to fines which your organization will be held accountable for – particularly if a data breach occurs.
The conduit exception rule does not apply to entities that have regular access to PHI
The ‘mere conduit’ exception extends only to organizations that deal with ‘any temporary storage of transmitted data incident to such transmission.’ This is defined in the rules as entities that have ‘random or infrequent access’ to PHI. Therefore, any mobile messaging provider that refuses to sign a BAA is putting your organization at risk.
Exceptions would include the United States Postal Service, couriers, and their electronic equivalents, as while they are considered to be entities that transport or transmit PHI, they do not have regular access to PHI and disclosure of the PHI. In addition, internet service providers (ISPs) transmit PHI over their network, but they do not access or store the data. This is another example of occasional or random access that would not require a BAA to be signed.
Without a BAA, the whole chain becomes noncompliant
The phase 2 HIPAA audits are still ongoing, and as well as covered entities, business associates are subject to audits conducted by the Office for Civil Rights (OCR). With every link in the chain being scrutinized, any party who has not taken the necessary steps to ensure that they are protecting PHI can be held accountable for data breaches and penalized for noncompliance. Therefore, it is essential that a covered entity has a BAA in place with any vendor that manages or transmits PHI on their behalf, such as a mobile messaging provider.
To be HIPAA compliant when transmitting, receiving, or storing PHI, a BAA must be signed
Don’t be fooled by those offering a ‘conduit service’ to get around having to sign an agreement. While this technically makes them able to state that they are HIPAA compliant, the small print is likely to include a guarantee that they will disable SMS texting, disable automatic forwarding of messages to email, and will delete all voicemails, faxes, and recordings after a short period. Clearly, this is an admission that they do have more than random and infrequent access to PHI, and therefore they should be signing a BAA.