The HIPAA Conduit Exception refers to a specific provision in the HIPAA Privacy Rule that allows certain entities to share protected health information (PHI) without obtaining patient authorization under certain circumstances.
Understanding the conduit exception
The conduit exception applies to entities acting as conduits for transmitting PHI. These entities do not have any role in the content of the information being transmitted; they are transferring the information from one party to another.
According to the HHS, “A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.”
Examples of Conduit entities:
- Postal services (e.g., mailing documents)
- Internet service providers
Implications of the exception
The Conduit Exception provides a level of flexibility for healthcare providers and other covered entities when it comes to transmitting PHI through third-party services. It helps facilitate the efficient transfer of information while maintaining compliance with HIPAA regulations.
Tips/best practices
When managing the Conduit Exception as a HIPAA-covered entity, here are some tips and best practices to ensure compliance while effectively handling PHI:
- Limit access to PHI: Ensure that conduit entities do not have access to the content of the PHI. Review contracts and agreements to clarify their role as mere transmitters of information.
- Maintain documentation: Keep records of all conduit entities you work with and document the nature of their services. This can help demonstrate compliance in the case of an audit.
- Implement safeguards: Even if an entity is a conduit, covered entities must employ reasonable safeguards to protect PHI during transmission. This includes using secure methods for sending information, such as the use of HIPAA compliant email services like Paubox Email Suiite.
FAQs
Do conduit entities need to be HIPAA compliant?
While conduit entities are not considered covered entities or business associates under HIPAA, they are still expected to implement reasonable safeguards to protect PHI during transmission. They do not have the same compliance obligations as covered entities.
Is it necessary to have a written agreement with conduit entities?
While a formal written agreement may not be required for conduit entities under HIPAA, it is advisable to have some form of documentation outlining the nature of the relationship and the handling of PHI to ensure clarity and compliance.
Can I share PHI with a conduit entity without patient authorization?
Yes, as long as the entity qualifies as a conduit and is not accessing or altering the PHI, you can share information without patient authorization.