HHS Clarifies that ISPs are not Business Associates under HIPAA

The Department of Health and Human Services (“HHS”) issued a final rule to update its regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). In the final rule, HHS clarifies that data transmission organizations, such as Internet Service Providers (“ISPs”), that do not require access to protected health information (“PHI”) on a routine basis are not business associates” under HIPAA.

As a result, ISPs that provide data transmission services to hospitals, doctor’s offices, and other covered entities” under HIPAA can provide these services without adjusting their business operations to comply with HIPAA’s requirements or attempting to treat PHI differently from other data transmitted on the ISPs’ networks. These entities are mere conduits for the transportation of PHI.

However, the final rule also clarifies that ISPs or other data transmission organizations that manage the exchange of protected health information through a network have more than random access to PHI. Examples of these management services include record locator services or oversight and governance functions. As a result, these entities are still considered business associates under HIPAA.