Streamlining HIPAA compliance with a ‘Conduit Exempt’ SD-WAN

If you’re in the healthcare business, or if you provide technology to healthcare businesses, then you’re familiar with the Health Insurance Portability and Accountability Act (HIPAA). You’ve probably also learned that HIPAA compliance can be complicated and costly. When you start moving Patient Health Information (PHI) to the Cloud, it can get even more complicated and costly.  

It’s no wonder that businesses, especially those with Cloud-based PHI, are always looking for opportunities to streamline their HIPAA compliance requirements. One such opportunity exists around the internet contingency/continuity requirement. Bigleaf’s Cloud-first SD-WAN addresses this while making use of the Conduit Exception to ease the process.  

The HIPAA Conduit Exception makes deploying Bigleaf’s SD-WAN an easy project. But there’s a lot of confusion about the Conduit Exception, what it means, and why it applies to some vendors like Bigleaf. This post will break it all down for you. 

HIPAA, Business Associate Agreements and You

To understand the Conduit Exception, we need to start by explaining Business Associate Agreements and why they’re so critical in your HIPAA compliance. A Business Associate Agreement (BAA) is a written contract between a Covered Entity (CE), that’s you, and a Business Associate (BA), that’s another vendor or company that you’re working with.  

To maintain your HIPAA compliance, it is required that you maintain a BAA with any Business Associates that interact with your ePHI, and for good reason. Patient records need to be protected and anyone accessing or storing those records needs to be held to the same high standard of privacy and security that you are as the CE. 

The penalties for not having a BAA are steep. In fact, a Covered Entity in Minnesota recently agreed to a $1.55 million fine for not having a BAA in place with one of its Business Associates. So, we can understand why businesses default to requiring this kind of agreement.  

But the onus of these agreements can be costly to both vendors and CEs. Not to mention, it can delay the deployment of new technologies. But the good news is, the Department of Health and Human Services (DHH) designated certain types of vendors that don’t require a BAA. They’re covered under the “Conduit Exception.”  

Understanding the Conduit Exception 

The Conduit exception was introduced to remove this burden for both CE’s and the vendor where it wasn’t needed. The full text of the Conduit Exception can be found under Section 160.103 – Definitions: 

We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information (e.g., the US Postal Service, certain private couriers and their electronic equivalents). A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity. 

This exception means that services you use to simply transport PHI from, say, your office to another server or cloud service are not considered a Business Associate and do not require a BAA. Simple, right? Well there’s some nuance.  

How to determine if a vendor meets the Conduit Exception  

The DHH has some great guidance on the subject of the Conduit Exception. According to an FAQ on their website

As explained in previous guidance,[14] the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.  Any access to PHI by a conduit is only transient in nature. 

To ensure that a vendor like Bigleaf meets this definition for the Conduit Exception, there are two qualifications that you should look for.  

1) The service must be “transient” 

The Conduit Exception applies to things like internet connections and roads that are “transient” in nature relative to the PHI in question. That means that the vendor cannot store persistent copies of the data as a part of the offering (encrypted or not). For instance, when you mail something to a patient, PHI is technically traversing the road but information in the letter is never stored or recorded anywhere along the way.  

Likewise, Bigleaf accepts encrypted data from your network and transmits it to our PoPs where the data is handed off, still-encrypted, to your Cloud application. Bigleaf doesn’t offer file or other persistent storage. 

2) The service must not have access to decrypt the data in transit 

To meet the Conduit Exception a vendor also must not have access to the encryption key used to secure and open the data “package”. This may not apply to an SD-WAN that also provides firewall functionality as the system may be able to decrypt PHI in transit (if the PHI is not first encrypted by the application). 

Bigleaf, sitting outside of the firewall, operates independent of any security or encryption provided by the application and/or VPN. 

Look for a proven solution

With so much at stake, it never makes sense to gamble with HIPAA compliance. When considering whether a vendor meets the Conduit Exemption, always ask for references or case studies, and we also recommend consulting with your attorney. For Bigleaf, I’d recommend reading our partner interview on Simplifying HIPAA Compliance for Heathcare Providers With SD-WAN

If you have any other questions about SD-WAN and HIPAA compliance, or if you’d like to learn more about how Bigleaf can help, contact us today. 

Comments are closed.