Comparison · Privacy

Business Associate vs Conduit

A Business Associate handles PHI on behalf of a covered entity and needs a BAA. A Conduit only transmits PHI without persistent access — and is exempt from BAA requirements.

Last reviewed May 24, 2026

Side by side

Option A

Business Associate

A person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity to perform a function or activity regulated by HIPAA.

45 CFR 160.103
  • Defined at 45 CFR 160.103.
  • Requires a BAA.
  • Subject to direct HIPAA Security Rule liability since HITECH.
Option B

Conduit

A person or entity whose only role is to transmit PHI (and have only transient or random access to the data), like the U.S. Postal Service or an internet service provider acting in that limited capacity.

HHS Conduit Exception (commentary to 78 FR 5571)
  • HHS conduit exception is narrow — transmission only, no persistent storage.
  • Once a vendor stores PHI (even briefly for caching), the exception generally fails.
  • Most cloud-storage SaaS vendors are NOT conduits despite vendor claims.
BAA required
BAYes
ConduitNo — but the exception is narrow
PHI access
BAPersistent or repeated, to perform a function
ConduitTransient, transmission-only
Example
BAEHR vendor, billing service, transcription, IT MSP
ConduitUSPS, FedEx, telecom carrier (transmission only)
Cloud storage SaaS
BAYes — cloud-storage SaaS is a BA per HHS guidance
ConduitGenerally not — even encrypted cloud storage exceeds transient access

When to use Business Associate

  • Any vendor that creates, receives, maintains, or transmits PHI to perform a function — execute a BAA before sharing data.

When to use Conduit

  • A transmission-only service that has no persistent access to the content (USPS, telecom carrier acting in its carrier capacity).

Common mistakes

  • Treating a cloud storage vendor as a conduit because it offers encryption — HHS has explicitly held the conduit exception does not apply.
  • Assuming that no BAA is needed when a vendor sees PHI "only briefly" — persistence is not the test, access is.
  • Using a vendor's marketing language to determine BA status rather than the HIPAA definition.

Sources

Take it into the workspace

Classify vendors in the SRA readiness check

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.