---
title: HHS Clarifies that ISPs are not Business Associates under HIPAA
date: 2013-02-08T15:37:57-05:00
author: Import Bot
canonical_url: "https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/hhs-clarifies-that-isps-are-not-business-associates-under-hipaa"
section: Blog Posts
---
# HHS Clarifies that ISPs are not Business Associates under HIPAA

 February 8, 2013

 

 

 

 

 

 

The Department of Health and Human Services (“HHS”) issued a [final rule](http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf) to update its regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). In the final rule, HHS clarifies that data transmission organizations, such as Internet Service Providers (“ISPs”), that do not require access to protected health information (“PHI”) on a routine basis are not ​“business associates” under HIPAA.

As a result, ISPs that provide data transmission services to hospitals, doctor’s offices, and other ​“covered entities” under HIPAA can provide these services without adjusting their business operations to comply with HIPAA’s [requirements](http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html) or attempting to treat PHI differently from other data transmitted on the ISPs’ networks. These entities are *mere conduits* for the transportation of PHI.

However, the final rule also clarifies that ISPs or other data transmission organizations that *manage* the exchange of protected health information through a network have more than random access to PHI. Examples of these management services include record locator services or oversight and governance functions. As a result, these entities are still considered business associates under HIPAA.

 

 **Tags:** [Privacy and Information Security](https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/tags/privacy-and-information-security)

 

 - Share this entry 
    - 
    - 
    - 
    -
- [  View entry pdf ](https://s3.amazonaws.com/cdn.kelleydrye.com/content/uploads/pdf-snapshots/hhs-clarifies-that-isps-are-not-business-associates-under-hipaa-20230914233119.pdf)
 
 

### Search Blog

  

### Subscribe

  

### Explore Topics

- [Privacy and Information Security](https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/privacy-and-information-security)
 
 

### Related Services

- [Advertising and Marketing](https://www.kelleydrye.com/practices/advertising-and-marketing)
