HITECH Business Associate Rule Tool Section 10: Implications for Health Information (Exchange) Organizations

The Omnibus Rule expanded the definition of Business Associate to expressly include any “Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”

The Omnibus Rule did not provide any definition of “Health Information Organization,” (HIO) but in discussing it in the Preamble to the Rule DHHS made it clear this is to be interpreted broadly, to include regional health information organizations (RHIO) and other related types of entity, and that in any case HIOs and E-prescribing Gateways were identified only as examples of data transmission services providers, not as limitations on the definition.

The significant limitation on this definition is that it does not apply to organizations which are “conduits,” i.e., which provide data transmission services that do not entail access to PHI on a routine basis. DHHS indicated that this is intended as a narrow exception:

. . . The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services. As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. For example, a telecommunications company may have occasional, random access to protected health information when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to protected health information would not qualify the company as a business associate. In contrast, an entity that requires access to protected health information in order to perform a service for a covered entity, such as a Health Information Organization that manages the exchange of protected health information through a network on behalf of covered entities through the use of record locator services for its participants (and other services), is not considered a conduit and, thus, is not excluded from the definition of business associate. . . .

A service can qualify as a conduit if its data transmission service is on a store-and-forward basis, as long as the storage is “temporary” or “transient.”  “Persistent” storage will trigger Business Associate status, if the service “has access to” PHI, “even if the entity does not view the information or only does so on a random or infrequent basis.

This last comment suggests that access controls preventing service organization access to PHI would keep it from being a Business Associate, but DHHS has provided no additional guidance on this point. If this is a valid interpretation, adequate access control might include data encryption using a methodology which would render the data “secured” for purposes of the breach notification rule, as long as the services provider doesn’t have access to the encryption keys.

Entities providing data transmission services, whether identified as HIOs or otherwise, should therefore assume they are Business Associates unless their services are limited to “pure” data transmission, or if some “persistent” storage is involved, for example in a repository, if all PHI is properly encrypted and the services provider cannot access the encryption keys.

© 2013 John R. Christiansen