The Health Insurance Portability & Accountability Act (HIPAA) governs the confidentiality and security of personal health information (PHI) within the United States for "covered entities" and their "business associates." HIPAA requires covered entities - such as healthcare providers, hospital systems and pharmacies - to implement policies and procedures to ensure the protection of this highly sensitive information. Additionally, the HIPAA rules generally require a covered entity to enter into a Business Associate Agreement (BAA) with certain third-party vendors who access, receive, transmit or store the PHI (aka business associates).
Whether or not a third-party vendor should fall within the definition of a "business associate" and be required to sign a BAA is very fact specific.
Some third-party vendors fall within the HIPAA "conduit exception" and are therefore not required to enter into a BAA. Telecommunications companies often fall within this conduit exception. A BAA is not needed for an individual or organization that "acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents." Temporarily storing PHI incident to a transmission does not disqualify such an individual or organization from the conduit exception. See Department of Health and Human Services, 78 FR 5571-72.
In general, Telnyx's services fall within this conduit exception under HIPAA, and therefore there is no need for Telnyx to sign a BAA. However, Telnyx is always happy to further discuss. If you have any additional questions, please reach out to Sales@telnyx.com.
*This is not, and is not a substitute for obtaining, legal advice.