In its role as a carrier of physical packages containing PHI, UPS is not considered a business associate under HIPAA because it qualifies for the conduit exception.
A business associate, according to HIPAA, is any individual or organization that performs services involving the use or disclosure of PHI on behalf of a covered entity. Examples of business associates include medical billing companies, cloud service providers that store patient data, and law firms handling legal matters that require access to PHI. These associates must sign a business associate agreement (BAA), a contract that outlines their responsibilities in protecting PHI and ensures their compliance with HIPAA.
Learn more: When should you ask for a business associate agreement?
UPS is primarily a shipping and logistics company. It provides delivery services for businesses across various industries, including healthcare, often transporting packages that may contain PHI, such as medical records, lab results, or other sensitive documents. However, this transport does not make UPS a business associate.
HIPAA includes a “conduit exception,” which applies to entities that only transport or transmit PHI and do not access or handle the information in any meaningful way. Under this exception, “the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information,” says the HHS. Companies like UPS, FedEx, and the U.S. Postal Service are classified as conduits. They move data or physical documents containing PHI but do not review, process, or store it as part of their regular operations.
The PHI transported by UPS is typically secured in a sealed envelope or package, and the company does not have direct access to the information. This lack of interaction with PHI is what differentiates UPS from business associates who handle and manage health data.
However, it’s important to note that this conduit status could change if UPS were to provide additional services that involve access to PHI. For example, if UPS offered document management or data storage services, it would then need to comply with HIPAA as a business associate, as these services require direct interaction with PHI.
Using Paubox products and services can be a secure and efficient alternative for transmitting PHI while maintaining HIPAA compliance. Paubox provides HIPAA compliant email and texting solutions that eliminate the need for recipients to log into portals or use passwords, ensuring a seamless and secure communication process. Their HIPAA compliant email platform ensures that PHI is protected both in transit and at rest, reducing the risk of breaches that could occur during the physical shipping of sensitive documents. Similarly, Paubox’s texting services enable healthcare professionals to communicate with patients via secure, encrypted messages, offering a quick and safe way to share sensitive information like appointment reminders, lab results, or treatment plans. By integrating Paubox’s services, healthcare organizations can maintain compliance, improve operational efficiency, and enhance patient trust with secure and easy-to-use email communication.
See also:
The conduit exception refers to the provision in HIPAA that states entities that solely transport or transmit PHI without accessing or handling it are not considered business associates. Companies like UPS, FedEx, and the U.S. Postal Service fall under this exception.
Healthcare organizations should choose shipping companies that understand the importance of patient privacy, offer secure shipping options, and have established protocols to handle sensitive information appropriately, even if they are not classified as business associates.