This entry is part 26 of 27 in the series HIPAA Audit Tips

In a recent blog post we advised: “Be Careful Claiming “Conduit””.  Two of our colleagues, Jason Riddle and Gary Ridner, attended the OCR/NIST 6th Annual Conference on Safeguarding Health Information in Washington in early June.  Jason Riddle offers up this blog post and tip.   Here’s today’s big tip – Sort out your Business Associate status before OCR does!

HIPAA Audit Tips –  Sort out your Business Associate status before OCR does!

OCR/NIST 6th Annual Conference on Safeguarding Health Information

— by, Jason Riddle, CISSP, CISA

There was an interesting discussion at the recent OCR/NIST 6th Annual Conference on Safeguarding Health Information.  Several of the conference attendees were seeking clarification from the OCR on the categorization of an entity which stores encrypted PHI on behalf of a covered entity, but does not possess the encryption keys nor have any mechanism to decrypt, or otherwise access, the plaintext data. They did not appear happy with the response they received.

Much of the confusion stems from the concept of “conduits”, a term which was introduced in the preamble of the Privacy Rule in 2000. The initial language characterized a conduit as an entity that…

“…transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.”

The classic example used is the U.S. Postal service (and its electronic equivalents) who act as couriers of data sent from Point A to Point B.

The 2013 Omnibus Final Rule provides significantly more detail on conduits, but this additional detail still leaves the question posed by the conference attendees unresolved.

The preamble of the Omnibus Rule states that the conduit exception is intended to be a narrow one that is limited to transmission services where the PHI data is transient, not persistent.

The Omnibus Rule goes on to say…

“To help clarify this point, we have modified the definition of ‘‘business associate’’ to generally provide that a business associate includes a person who ‘‘creates, receives, maintains, or transmits’’ (emphasis added) protected health information on behalf of a covered entity.”

David Holtzman, Sr. Health Information Technology and Privacy Specialist for the OCR, attempted to provide some clarification by stating that one test to determine if a Business Associate agreement is required, is persistence of custody rather than ability to access.  Holtzman acknowledged that this topic is being discussed internally at the OCR and said they are working to provide clarification on the issue.

So, it would seem that, barring any reversal in direction from the OCR, entities which store ePHI on behalf of a Covered Entity or a Business Associate, will indeed be required to comply with the regulations and complete a Business Associate agreement, regardless of their ability to decrypt or access the data in their custody.

There is an interesting parallel in the Payment Card Industry, which has attempted to avoid federal regulation by implementing the PCI Data Security Standard (PCI-DSS) for all organizations which store, process, or transmit credit card data.  The PCI Security Standards Council, the consortium that establishes the compliance standards for the PCI program, evaluated this same topic of entities which store encrypted data but have no ability to decrypt or access it.  In August 2012 the Standards Council issued clarification in the form of a FAQ article (Article Number: 1233) which states:

“…if a merchant stores media containing only encrypted data at a third-party back-up storage facility, and the third-party provider has no access to decryption keys and no ability to decrypt the data, then the presence of encrypted data alone would not bring the third-party provider into scope for PCI DSS”

So I suppose it stands to reason that since we’re comparing two different industries (Health Care & Electronic Payments) and two different governance models (Federal Regulation vs. Industry Self-regulation) that we have two different answers to the same question. In the meantime, we will all be anxiously awaiting the formal clarification from the OCR.

The standard disclaimers hold here; the opinions contained herein are those of the author, who is not an attorney and is not offering legal advice. Determining if a Business Associate agreement is required in a particular situation is best decided by working in conjunction with your Legal Counsel.

Proven HIPAA Audit Tips – Other Actions You Should Take Now to Prepare for OCR HIPAA Investigations or Audits

We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:

  1. Establish a formal Privacy and Security Risk Management & Governance Program. (45 CFR § 164.308(a)(1))
  2. Complete a HIPAA Security Evaluation. (45 CFR § 164.308(a)(8))
  3. Complete a Privacy Rule compliance assessment. (45 CFR §164.530)
  4. Complete a Breach Rule compliance assessment. (45 CFR §164.400)
  5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  6. Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures. (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
  7. Document and act upon a corrective action plan.

Join the 350+ companies (both covered entities and business associates) that work with Clearwater Compliance. We can help your organization jump-start your HIPAA Compliance program.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please consider (all optional!):


Series Navigation<< HIPAA Audit Tips – Learn from ISU's Greg EhardtHIPAA Audit Tips – Are You Compliant with HIPAA Privacy Rule? >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.