The HIPAA conduit exception covers service providers that only transport protected health information from one point to another and do not create, receive, maintain, or access the information other than on a random or infrequent basis as necessary to perform the transportation service, with any storage limited to temporary, transmission-related buffering rather than retention.
The conduit exception is applied within the HIPAA business associate framework rather than as a separate HIPAA rule. A covered entity may disclose protected health information to a conduit for transport without treating the conduit as a business associate when the conduit’s role is limited to transmission and the conduit does not maintain the information.
Covered examples include traditional couriers and common carriers that deliver hard copy records, such as the U.S. Postal Service and private delivery services, when they are performing delivery functions and do not handle the information beyond what is inherent in delivery. Electronic equivalents that provide transmission-only services, such as internet service providers that route data traffic, can fall within the same concept when their function is limited to data transmission and they do not retain the content.
The storage element is the primary boundary condition. A conduit may have transient possession of protected health information while routing, switching, or buffering data in a manner that is incidental to transmission. Storage that is persistent, retrievable, archived, backed up, processed, or otherwise maintained for the customer moves the service into business associate activity because the vendor is maintaining protected health information.
Services that are frequently misclassified as conduits include email providers, cloud storage providers, electronic fax platforms, and messaging platforms that store messages or files beyond momentary transmission needs. A vendor claim that staff lack “no view” access because the customer encrypts content does not convert a maintaining service into a conduit when the vendor is storing or otherwise maintaining protected health information.
The conduit exception does not remove HIPAA obligations for the covered entity or business associate sending protected health information. The sender remains responsible for applying HIPAA Privacy Rule limits on disclosures, applying the HIPAA Minimum Necessary Rule when it applies, and implementing HIPAA Security Rule safeguards for electronic protected health information in transit, including transmission security measures selected through risk analysis and risk management.