HIPAA, BAAs and the Conduit Exception*

In this article we will explain HIPAA, BAAs and the Conduit Exception and what they mean for you.

Telnyx Engineering avatar
Written by Telnyx Engineering
Updated over a week ago

What is HIPPA and BAA?

The Health Insurance Portability & Accountability Act (HIPAA) governs the confidentiality and security of personal health information (PHI) within the United States for "covered entities" and their "business associates." HIPAA requires covered entities -  such as healthcare providers, hospital systems and pharmacies -  to implement policies and procedures to ensure the protection of this highly sensitive information. Additionally, the HIPAA rules generally require a covered entity to enter into a Business Associate Agreement (BAA) with certain third-party vendors who access, receive, transmit or store the PHI (aka business associates).

Whether or not a third-party vendor should fall within the definition of a "business associate" and be required to sign a BAA is very fact specific.

What is the Conduit Exception

Some third-party vendors fall within the HIPAA "conduit exception" and are therefore not required to enter into a BAA. Telecommunications companies often fall within this conduit exception.  A BAA is not needed for an individual or organization that  "acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents." Temporarily storing PHI incident to a transmission does not disqualify such an individual or organization from the conduit exception. See Department of Health and Human Services, 78 FR 5571-72.

In general, Telnyx's services fall within this conduit exception under HIPAA, and therefore there is no need for Telnyx to sign a BAA.  However, Telnyx is always happy to further discuss. If you have any additional questions, please reach out to Sales@telnyx.com.

*This is not, and is not a substitute for obtaining, legal advice.

Did this answer your question?