This week, the HIPAA FAQ series continues with a topic about business associate agreements (BAAs). Most Covered Entities and Business Associates are familiar with general BAA obligations. In the event that a Covered Entity utilizes a service provider who may have access to Protected Health Information (PHI), a BAA is needed. Further, in the event that a Business Associate utilizes a subcontractor who may have access to PHI, a slightly different type of BAA is needed. That being said, many entities often wonder about the need for BAAs with mail carriers. In the event that a Covered Entity or Business Associate is transporting PHI via mail with the help of the U.S. Postal Service, United Parcel Service, or a similar service, does HIPAA require a BAA to be in place?
Generally speaking, service providers that act as mere conduits of information and that do not have access to such information other than on a random and infrequent basis are not considered Business Associates and thus do not have to sign BAAs. This narrow conduit exception also applies to the electronic equivalent of mail carriers, such as internet service providers. Paper mail carriers and internet service providers generally do not have access to the information they transport. Entities sending mail do not intend for their couriers to access the content of their packages, and the probability of disclosure is low. Therefore, paper mail carriers and internet service providers are not required to sign BAAs when their service offering is limited to acting as a conduit.
It is important to note that this conduit exception does not extend to cloud service providers, which will be covered in more detail next week.