Why Conduit Service Won’t Keep Your Business Communications HIPAA Compliant

Conduit service is NOT HIPAA CompliantWhat is “HIPAA conduit service?” And will it protect the HIPAA compliance of my company’s business phone service, faxes or unified communications? I’ve been getting this question a lot lately, since apparently some of 8x8’s business VoIP competitors recently started offering something they call “conduit service.” For the protection of all the businesses looking for a way to comply with the recently beefed-up enforcement of tighter HIPAA/HITECH regulations—which now affect whole categories of businesses that never had to comply before—I have both a warning and a story that explains why 8x8 rejected a similar idea several years ago.

What is HIPAA Conduit Service?

One business VoIP provider that offers such “conduit service” says that they will disable automatic forwarding of messages to email, disable business SMS texting, and delete faxes, voicemail, and recordings after 30 days. What kind of protection could turning off these features possibly offer? Let’s look more closely.

Business VoIP Provider Tries to Exploit a HIPAA Exemption

The term “conduit service” appears to be an attempt to exploit something called the “conduit exemption” of the Health Insurance Portability and Accountability Act (HIPAA), which provides federal protections for Personal Health Information (PHI). As of January 2013, HIPAA covers not just the traditional “covered entities” such as medical providers and payers, but any of the entire chain of third parties that create, receive, maintain or transmit PHI.

Since telecommunications providers clearly “transmit” and “receive” information of all kinds, for countless insurance companies, legal offices, hospitals, medical offices—and many businesses that do business with  them—they fall into the category of “business associates” of any company that’s trying to comply with HIPAA.

Any business that is covered by HIPAA, in other words, needs to make sure that its unified communications providers are HIPAA-compliant business associates as well. It’s kind of like a chain, where you don’t just need to check the strength of one length, but of all of them. Any weak link makes the HIPAA compliance chain fall apart, making the whole system noncompliant.

You Still Need a Business Associate Agreement for HIPAA Compliance

The term “unified communications provider” can include the providers of fax services, web meeting systems, and recording services, as well as business phone service. That means that business phone service companies, including business VoIP providers fall under the HIPAA definition of “business associate.”

And if HIPAA compliance is important to your business, you’d need to get a Business Associate Agreement from all of your business associates—including telecommunications or business VoIP providers—to protect your business from losing its HIPAA compliance.

But, there is a recognized legal exemption for something called a “mere conduit.” If the information is just passing through—and doesn’t get stored, manipulated or altered—the entities that just let it pass through their systems don’t have HIPAA compliance obligations to that information. They are just allowing it to move through their systems, like a conduit pipe lets water move through it.

Why Business VoIP ‘Conduit Service’ Is So Misleading

By claiming that they are “mere conduits,” telecommunications firms offering “conduit service” are apparently trying to imply that they fall under the “conduit exemption.” If a business VoIP firm could make such a claim, then countless companies would not have to get a business associate agreement attesting to their compliance. That would certainly make life a lot easier for the business VoIP provider.

A Dubious ‘Exemption’ for Business VoIP Providers

But the problem is, if a fax or voice mail is stored for 30 days, it’s not just “transmitted.” It’s being “received” and stored for 30 days. Since the law has held that persistent storing of HIPAA-protected information for any significant period of time disqualifies an entity from claiming the mere-conduit exemption, it’s extremely doubtful that conduit service would hold up as a protection or a substitute for a business associate agreement from a truly HIPAA compliant business VoIP provider.

How Do We Know All This?

8x8 is a HIPAA-compliant VoIP provider, and has been for a long time. Our compliance has been independently verified, and we offer Business Associate Agreements that document and protect our customers’ HIPAA compliance from jeopardy from their unified communications services.

A HIPAA-compliant Unified Communications Provider’s Story

However, I can tell you that compliance is a long, hard road for any business VoIP provider. We actually evaluated the idea of something very similar to the “conduit service” described, but decided against it, because we realized that:

  • Just disabling a few services doesn’t buy you HIPAA compliance. If it were that easy, all business VoIP providers could comply. It isn’t, and they don’t.
  • There are literally dozens of controls on back-end systems that the business VoIP provider must put in place to achieve compliance and protect customers. The VoIP provider needs to be able to pass an audit of its own compliance before it can issue Business Associate Agreements. This includes having physical, administrative and technical standards; compliant policies and procedures; and training, monitoring, and sanctions for violations. Only after third-party validation can a VoIP provider convincingly offer HIPAA-compliant unified communications, business phone service and contact center software.
  • We’d still have to put in place audit controls, policies and procedures, standards, training, monitoring, governance, and sanctions to truly protect our customers’ compliance. Anything less, in my opinion, would amount to “security-and-compliance” malpractice.
  • We would still have needed to engineer our solutions to not only be compliant, but to be easy for our customers to use and incorporate into their own compliance processes.
  • We also offer FISMA compliance, so we had to go far beyond even what we do for HIPAA anyway. 8x8 firmly believes that our business customers want and need more security and compliance from unified communications providers. We not only wanted to meet those needs; for our customers’ peace of mind, we wanted to surpass them.
  • We also needed to do the work required to show that all of the third parties WE do business with won’t jeopardize our compliance, or yours.
  • We wanted to pass yearly audits of our compliance. We need to show that we are ever vigilant with our personnel, policies and procedures.

Why 8x8 Took the High Road to HIPAA Compliance—And Succeeded

For all of these reasons and more, 8x8 decided not to offer a service consisting only of feature disablement. And now that we’ve done the extensive work and are HIPAA-compliant ourselves, we understand the desire to find a short road or a quick fix. But unfortunately, there aren’t any.

And relying on a so-called “conduit service” is a lot like buying a top-floor penthouse with a fake balcony rail—it looks great until you really need to rely on it.

The REAL Questions to Ask Your Unified Communications Provider

There is no quick way around implementing the rules, policies, procedures and technology required to comply with HIPAA—or any other regulation or standard. (8x8 also complies with FISMA, FIPS and more than half a dozen other regulations and standards.)

For HIPAA compliance, you need to pick a provider that doesn’t just claim to provide compliant services, but will put it in writing, with a Business Associate Agreement. Here are seven other HIPAA compliance questions to ask, as well. 8x8 also offers several whitepapers on HIPAA, security, reliability and general compliance. And don’t let anyone cut corners on your HIPAA compliance.


Mike McAlpen


Mike McAlpen is the Executive Director of Security and Compliance at 8x8, one of the largest US VoIP providers for business. Prior to this, Mike was a business leader with Visa, Inc. Global Information Security and Compliance. Before this Mike was a leader in HP Professional Services Information Security, CIO/CISO Advisory and other services for nearly 12 years. Mike is a frequent Information Security speaker, a three-term IT Services Management Foundation President, on the Board of Directors of the Silicon Valley ISSA, and active in ISACA, FBI/DHS InfraGard, U.S. Secret Service’s Cyber Crime Task Force and the American Bar Association Science and Technology Section’s Information Security Committee. [...] Read More >

  • icon-gray-linkedin.png