Business Associate vs Conduit
A Business Associate handles PHI on behalf of a covered entity and needs a BAA. A Conduit only transmits PHI without persistent access — and is exempt from BAA requirements.
Last reviewed May 24, 2026
Side by side
Business Associate
A person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity to perform a function or activity regulated by HIPAA.
45 CFR 160.103- Defined at 45 CFR 160.103.
- Requires a BAA.
- Subject to direct HIPAA Security Rule liability since HITECH.
Conduit
A person or entity whose only role is to transmit PHI (and have only transient or random access to the data), like the U.S. Postal Service or an internet service provider acting in that limited capacity.
HHS Conduit Exception (commentary to 78 FR 5571)- HHS conduit exception is narrow — transmission only, no persistent storage.
- Once a vendor stores PHI (even briefly for caching), the exception generally fails.
- Most cloud-storage SaaS vendors are NOT conduits despite vendor claims.
When to use Business Associate
- Any vendor that creates, receives, maintains, or transmits PHI to perform a function — execute a BAA before sharing data.
When to use Conduit
- A transmission-only service that has no persistent access to the content (USPS, telecom carrier acting in its carrier capacity).
Common mistakes
- Treating a cloud storage vendor as a conduit because it offers encryption — HHS has explicitly held the conduit exception does not apply.
- Assuming that no BAA is needed when a vendor sees PHI "only briefly" — persistence is not the test, access is.
- Using a vendor's marketing language to determine BA status rather than the HIPAA definition.
Sources
- HHS — Business Associateshttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
- HHS — Cloud Computing Guidance (conduit exception)https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html
Related
Classify vendors in the SRA readiness check
Open sra studio →D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.