Why the HIPAA Conduit Exemption Should Be Dead and Gone

by

The HIPAA conduit exemption is a narrow carve-out in the HIPAA Privacy and Security Rules. It says that if an entity merely transports protected health information (PHI) from point A to point B without storing it or having routine access to it, they’re not considered a business associate and therefore don’t need a Business Associate Agreement (BAA).

Classic examples:

  • The U.S. Postal Service
  • UPS, FedEx
  • Certain “dumb pipe” telecom carriers that transmit but do not store or inspect data

The exemption exists because these entities are like couriers: they deliver sealed envelopes without reading or retaining the contents.

Why USPS’s Mail Scanning Breaks the Analogy

Historically, USPS could claim “pure conduit” status — they didn’t store or examine mail content beyond operational necessity.

But now? With Informed Delivery, USPS:

  1. Digitally scans the outside of your mail and packages.
  2. Stores that image data (at least temporarily).
  3. Distributes that scan electronically to you before the mail physically arrives.

That’s not just transporting. That’s creating, retaining, and transmitting a derivative of the mail content. Even if the scan is “only” of the envelope exterior, it still contains personally identifiable information (names, addresses, senders) and could be linked to PHI if the sender is a healthcare provider or insurer.

In HIPAA terms, that’s no longer a “transient pass-through.” It’s data handling — and data handling is the territory of a business associate, not a conduit. So, once an entity stores, scans, indexes, or otherwise accesses PHI in a non-transient way (like USPS’s Informed Delivery or telecoms storing call logs), the conduit exception no longer applies. That entity must be treated as a business associate and enter into a BAA.

Why This Makes the Conduit Exemption Outdated

HIPAA’s conduit carve-out assumes:

  • No persistent storage
  • No routine access
  • No modification or secondary use of the data

But modern communications and delivery systems — USPS, cloud telephony, VoIP, messaging — almost always retain metadata or create accessible copies in the normal course of operation.

Example: A VoIP provider claiming conduit status while storing call detail records (CDRs) — which include originating number, terminating number, and timestamps — is functionally retaining PHI metadata if either number belongs to a patient or healthcare provider. Under HIPAA’s definitions, this metadata is still PHI when tied to a healthcare context. Storing it breaks the “pure conduit” model.

Bottom Line

The conduit exemption was written for a pre-cloud, pre-digital-imaging world. Once an entity:

  • Scans
  • Stores
  • Indexes
  • Provides searchable access … it is no longer a conduit — it is a data handler under HIPAA, with all the obligations that entails. CDRs and today’s AI enabled transcription or Agentic AI bots, clearly move telecom carriers past the the exemption.

That’s why, in today’s infrastructure, claiming conduit status while storing logs or scanned data is not just outdated — it’s legally shaky and operationally misleading.

If USPS can’t claim it anymore, neither can call log–keeping “conduit” telecoms.