If you’re in the healthcare business, or if you provide technology to healthcare businesses, then you’re familiar with the Health Insurance Portability and Accountability Act (HIPAA.) You’ve probably also learned that HIPAA compliance can be complicated and costly. When you start moving patient health information (PHI) to the cloud, it can get even more complicated and costly.
It’s no wonder that businesses, especially those with cloud-based PHI, are always looking for opportunities to streamline their HIPAA compliance requirements. One such opportunity exists around the internet contingency/continuity requirement. Bigleaf’s& cloud-first SD-WAN addresses this while making use of the “conduit exception” to ease the process.
The HIPAA conduit exception makes deploying Bigleaf’s SD-WAN an easy project. But there’s a lot of confusion about the conduit exception, what it means, and why it applies to some vendors like Bigleaf. This post will break it all down for you.
HIPAA, business associate agreements and you
To understand the conduit exception, we need to start by explaining business associate agreements and why they’re so critical to your HIPAA compliance. A business associate agreement (BAA) is a written contract between a covered entity (CE) — that’s you — and a business associate, defined as another vendor or company that works with you.
To maintain your HIPAA compliance, it is required that you maintain a BAA with any business associates that interact with your PHI, and for good reason. Patient records need to be protected and anyone accessing or storing those records needs to be held to the same high standard of privacy and security that you are as the CE.
The penalties for not having a BAA are steep. In fact, a covered entity in Minnesota recently agreed to a $1.55 million fine for not having a BAA in place with one of its business associates. So, we can understand why businesses default to requiring this kind of agreement.
But the onus of these agreements can be costly to both vendors and CEs. Not to mention, it can delay the deployment of new technologies. But the good news is, the Department of Health and Human Services (DHH) identified certain types of vendors that don’t require a BAA. These vendors are covered under the “conduit exception.”
Understanding the conduit exception
The conduit exception was introduced to remove this burden for both CE’s and the vendor where it wasn’t needed. The full text of the conduit exception can be found under Section 160.103 – Definitions:
We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information (e.g., the US Postal Service, certain private couriers, and their electronic equivalents). A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.
This exception means that services you use to simply transport PHI from, say, your office to another server or cloud service are not considered as business associates and therefore do not require a BAA. Simple, right? Well there’s some nuance.
When does a vendor meet the conduit exception?
The DHH has some great guidance on the subject of the conduit exception. According to an FAQ on their website
As explained in previous guidance, the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature.
To ensure that a vendor like Bigleaf satisfies the conditions for the conduit exception, there are two qualifications that you should look for.
1) The service must be “transient”
The conduit exception applies to things like internet connections and roads that are “transient” in nature relative to the PHI in question. That means that the vendor cannot store persistent copies of the data as a part of the service offering, whether or not the data is encrypted. For instance, when you mail something to a patient, PHI is technically traversing the road but information in the letter is never stored or recorded anywhere along the way.
Likewise, Bigleaf accepts encrypted data from your network and transmits it to our PoPs where the data is handed off, still-encrypted, to your cloud application. Bigleaf doesn’t offer persistent storage of files or other data.
2) The service must not have access to decrypt the data in transit
To meet the conduit exception a vendor must not have access to the encryption key used to secure and open the data “package.” This restriction may rule out an SD-WAN that also provides firewall functionality, as the system could potentially be able to decrypt PHI in transit (if the PHI is not first encrypted by the application).
Bigleaf, on the other hand, sits outside of the firewall and operates independently of any security or encryption that’s provided by the application and/or VPN.
Look for a proven solution
With so much at stake, it never makes sense to gamble with HIPAA compliance. When considering whether a vendor meets the conduit exemption, always ask for references or case studies. We also recommend consulting with your attorney. To learn more about Bigleaf’s role as a conduit, read our partner interview on “Simplifying HIPAA compliance for healthcare providers with SD-WAN.”
If you have any other questions about SD-WAN and HIPAA compliance, or if you’d like to learn more about how Bigleaf can help, contact us today.