HIPAA

1.  Electronic communication vendor - will not sign BAA

Posted 7 days ago
Our IT department is researching a telecommunications service provider for faxing, SMS, and possibly phone.  This provider states they are a conduit and will not sign a BAA.  Other fax providers sign BAA's and are considered conduits.

What are your recommendations?

------------------------------
Debbie Henderson
Director of Compliance
San Luis Obispo,CA
------------------------------


2.  RE: Electronic communication vendor - will not sign BAA

Posted 7 days ago
We have a BAA with our e-fax provider.

Carly Borenkind, LCSW
Compliance Officer- JASA
247 W. 37th Street 9th Floor
New York, NY 10018
Ph: 212.273.5296
eFax: 929.299.1132

Compliance Concerns can be reported anonymously, if desired, through the Compliance Hotline at 212-273-5288 or click here.  Concerns can also be emailed to complianceconcerns@jasa.org




www.jasa.org

  

Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  JASA's Privacy officer can be reached at 212-273-5296.





3.  RE: Electronic communication vendor - will not sign BAA

Posted 7 days ago
We have a vendor that said they were not a BA and would not sign our BAA. So we compromised by adding into the contract a line that basically said they would abide by HIPAA if it applies. That way they feel comfortable that it will never apply. We feel comfortable that if CMS says they are a BAA then they have agreed to comply. It's the closest we could come together.

------------------------------
Carl Russell
Compliance Analyst
Delta Dental of Idaho
Boise,ID

Anything I say is my sole opinion and not of my company.
------------------------------



4.  RE: Electronic communication vendor - will not sign BAA

Posted 7 days ago
The determining factors for a conduit exemption are pretty solid in the final rule guidance.  I often reference the point that says clearly the conduit exemption is intended to be a narrow one. It is also the reference we often use to clarify that having persistent access to PHI matters in the BA classification determination, not whether or not you intend to do anything with it.

I added the bold to the points below from the original text.

Regarding what it means to have "access on a routine basis" to protected health information with respect to determining which types of data transmission services are business associates versus mere conduits, such a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity. The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as Internet Service providers (ISPs) providing mere data transmission services. As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.  For example, a telecommunications company may have occasional, random access to protected health information when it reviews whether the data transmitted over its network is arriving at its intended destination.  Such occasional, random access to protected health information would not qualify the company as a business associate.  In contrast, an entity that requires access to protected health information in order to perform a service for a covered entity, such as a Health Information Organization that manages the exchange of protected health information through a network on behalf of covered entities through the use of record locator services for its participants (and other services), is not considered a conduit and, thus, is not excluded from the definition of business associate.  We intend to issue further guidance in this area as electronic health information exchange continues to evolve. 

We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission.  In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.  We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information.  However, the difference between the two situations is the transient versus persistent nature of that opportunity.  For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.  Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.  To help clarify this point, we have modified the definition of "business associate" to generally provide that a business associate includes a person who "creates, receives, maintains, or transmits" (emphasis added) protected health information on behalf of a covered entity. 

The efax solutions receive the information and store it on their servers on your behalf.  That makes them a BA.  So your determination relies on exactly where does the fax and SMS data reside.  Assuming it includes PHI, then residing on their servers makes them a BA.
 
Donna Grindle
Founder and CEO
donna@kardoncompliance.com | 678.292.5001, 101
Kardon Compliance | www.kardoncompliance.com
 
Help Me With HIPAA latest podcast episode: Text messaging is not secure – Ep 129





5.  RE: Electronic communication vendor - will not sign BAA

Posted 7 days ago
Donna and all responders, thank you.



------------------------------
Debbie Henderson
Director of Compliance
San Luis Obispo,CA
------------------------------



6.  RE: Electronic communication vendor - will not sign BAA

Posted 6 days ago
​Thanks, Donna, for the excellent explanation.  It is much appreciated.

------------------------------
Maryrose Welch CHC
Chief Compliance/Privacy Officer
Riverland Medical Center
Ferriday,LA
------------------------------



7.  RE: Electronic communication vendor - will not sign BAA

Posted 5 days ago
Excellent Donna, thanks.

------------------------------
Carl Russell
Compliance Analyst
Delta Dental of Idaho
Boise,ID

Anything I say is my sole opinion and not of my company.
------------------------------



8.  RE: Electronic communication vendor - will not sign BAA

Posted 7 days ago
Edited by Frank Ruelas 7 days ago
The "we are a conduit" excuse may be one of most used and abused attempts by a BA to try to convince others that they are not a BA.

Based on your post I would guess with 99.9999999% confidence that this vendor IS a BA and IS NOT a conduit for reasons folks have shared.  Now keep in mind, if you go along and do not get a BAA in place, you have now opened the door that any disclosures you make to this vendor are impermissible disclosures and would also represent presumed breaches.

Good post...thanks!

------------------------------
Frank Ruelas
------------------------------



9.  RE: Electronic communication vendor - will not sign BAA

Posted 6 days ago
​Frank, pragmatically speaking, would you consider a professional services contract, that includes all the elements required in a BAA, to be the "written assurances" needed in order to disclose PHI to the vendor? I am looking at this from a perspective that we are not actually calling out the vendor as a BA, but in fact, through the contract language, we are getting our requirements met before disclosing PHI.

------------------------------
David Rothery, CHC
Compliance Officer
Marin County, CA


These are my personal opinions and not those of the County of Marin
------------------------------



10.  RE: Electronic communication vendor - will not sign BAA

Posted 6 days ago


------------------------------
Frank Ruelas
------------------------------