Health Information Compliance Alert

Published on Mon Feb 07, 2022 PDF

Question: With all the concerns over cybersecurity issues over the last couple of years, we were wondering about our internet service provider (ISP). Do we need to write up a business associate agreement (BAA) and have our ISP sign it?

Montana Subscriber

Answer: No, you do not because the HHS Office for Civil Rights (OCR) doesn’t consider an ISP to be a business associate (BA). An ISP that only provides internet for transmission purposes, similar to the U.S. Postal Service or other mail servicers, is a conduit, according to HIPAA Omnibus Rule guidance. When an ISP merely transmits data and doesn’t have any access to patients’ protected health information (PHI), its activity is covered under the HIPAA Conduit Exception Rule, part of the larger HIPAA Privacy Rule.

But: Here’s where it gets tricky. If your internet vendor also happens to provide your organization with email or cloud services, then it is a BA. Cloud service providers (CSP), messaging companies, fax services, and the like handle ePHI; thus, they must abide by the HIPAA rules as BAs.

“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA,” OCR clarifies.

Tip: As with many other federal regulations, nuances exist. As part of your annual risk analysis, you might want to consider adding vendor assessment to the compliance checklist. This will allow you to review your present partners and vendors to see whether a business associate agreement (BAA) is necessary.

Another reason to update your BA list and BAAs annually is to avoid OCR scrutiny. One of the first things the agency does after a HIPAA breach occurs is look at your risk management practices. BA-related mishaps fall on CEs’ shoulders, so it’s essential that you make your agreements airtight.