Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

Cloud Computing and Conduits

For years, cloud-based healthcare vendors had tried to avail their organizations to the conduit exception to HIPAA. Broadly speaking, the conduit rule exempts entities from complying with HIPAA if they only transmit and do not access PHI (usually on behalf of a Covered Entity). In the buildup to the Omnibus Rule, PHR vendors, data storage companies, and other cloud-based providers lobbied HHS to broaden the scope of the conduit exception.

3 min read
cloud based healthcare vendors and hipaa compliance|hipaa conduit rule and cloud computing

When Congress passed HIPAA back in 1996, the Internet was in its infancy. What we now know today as Google was a mere graduate program research project. “Going online” more often than not required a modem and an AOL account. Computer data storage was performed at the local level, and the idea of cloud-based computing was, if anything, best suited for sci-fi movies.

Of course, thanks to Moore’s law the computing world has drastically changed in the last 17 years. HIPAA, on the other hand, has not. So, when HHS released its long-awaited HIPAA Omnibus Rule at the end of January, the law had quite a bit of catching up to do with the technology that had outpaced it. Being a relatively new phenomenon, cloud computing was one such topic that the Omnibus Rule addressed.

What the Conduit Rule Entitles Organizations

hipaa conduit rule and cloud computing

For years, cloud-based healthcare vendors had tried to avail their organizations to the conduit exception to HIPAA. Broadly speaking, the conduit rule exempts entities from complying with HIPAA if they only transmit and do not access PHI (usually on behalf of a Covered Entity). In the buildup to the Omnibus Rule, PHR vendors, data storage companies, and other cloud-based providers lobbied HHS to broaden the scope of the conduit exception. In the rule, HHS relented, however, and narrowed the exception even further. The exception is only to be applied to electronic data transmission services (such as internet service providers) and their physical mail courier equivalents (such as USPS). In the post-Omnibus world, storing data – however brief in time – will almost certainly make you a Business Associate.

The Meaning for Cloud-Based Healthcare Vendors

So what does this mean for cloud-based healthcare vendors and their customers? Simply put, HHS has definitively labeled these entities as Business Associates, and Covered Entities should be called on notice. If you are a CIO of a large healthcare organization which has outsourced data storage needs to a third party cloud provider, you better make sure you have a BAA in place with your vendor. OCR is actively searching out HIPAA noncompliance during their rapidly expanding audit program, and the nonexistence of a BAA is one of the most frequently cited concerns. Perhaps even more important is the need to monitor these Business Associates for their compliance with the law.

Vendor management should always be a priority for healthcare managers. The recent changes to HIPAA via the curtailing of the conduit exception should prompt managers to reevaluate their provider rosters.

Frequently Asked Questions

Find answers to common questions about this topic.

The conduit exception exempts entities from HIPAA compliance if they only transmit PHI without accessing it. After the Omnibus Rule, only electronic data transmission services like ISPs and physical mail couriers like USPS qualify for this exemption.

Yes, cloud storage providers are definitively classified as Business Associates under the post-Omnibus HIPAA rules. Healthcare organizations must have signed BAAs in place with all cloud-based vendors that store PHI, regardless of duration.

The absence of a BAA is one of the most frequently cited violations during OCR audits. Healthcare organizations face significant penalties and regulatory scrutiny if they lack proper Business Associate Agreements with cloud providers.

The Omnibus Rule narrowed the conduit exception, making it clear that storing data even briefly qualifies entities as Business Associates. This definitively brought cloud-based healthcare vendors under HIPAA's Business Associate requirements.

CIOs must ensure all cloud vendors have signed BAAs and implement ongoing vendor management programs to monitor Business Associate compliance. They should also reevaluate their current provider rosters in light of the updated HIPAA requirements.

Krishna Kurapati

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

Related Articles

hipaa hitech breaches in healthcare|
Best Practices

Breaches and the HIPAA/HITECH Omnibus Deadline

90 days. That’s all the time healthcare organizations have between now and the September 23 HIPAA Omnibus compliance date. Understandably, most healthcare compliance officers are focusing on the significant changes spelled out in the regulations: obtaining business associate agreements, updating notices of privacy practices, and training staff members on the changes to the law.

Krishna KurapatiKrishna Kurapati
2 min read
3m left