Note: This statement is being provided to you because you have indicated that you use or wish to use A5 Fax® for the purpose of sending and/or receiving faxes that may include “protected health information” under HIPAA/HITECH, and not for the purpose of storing any such faxes. Use of other A5 Apps services or the use of A5 Fax® to store such faxes may raise additional concerns, and must be addressed separately. This statement applies only to customers who are “covered entities” and/or “business associates” under HIPAA, as those terms are defined therein. If you are not such an entity, then this statement does not apply to you.
The purpose of this statement is to explain (i) A5 Apps status under HIPAA1 and the HITECH Act2 in providing fax transmission services to you and, (ii) that HIPAA does not require you to enter into a “business associate agreement” (“BAA”) with A5 Apps in order to use these services.3 By way of summary, HIPAA’s Privacy and Security Rules (“Final Rules”), which are attached hereto as Exhibit A (see highlighted text), make clear that in providing transmission services – that is, services that allow you to send and receive faxes – Ramsey is not performing any services that would render it a “business associate” under HIPAA. This is because the Final Rules specifically provide that “data transmission organizations” like A5 Apps that “do not require access to protected health information on a routine basis” are “not [to] be treated as business associates” because they are acting as “mere conduits” with respect to the “protected health information” (“PHI”) at issue. As such, HIPAA does not require you to enter into a BAA with A5 Apps, and you are free to avail yourself of the A5 Fax® service without having such an agreement in place.
The Limited Scope of HIPAA’s BAA Requirement
HIPAA does not require a “covered entity” and/or “business associate” to enter into a BAA with each and every vendor that might receive PHI. Rather, HIPAA’s BAA requirement applies only where the vendor, by virtue of the services that it is providing, qualifies as the “business associate” of a “covered entity” or a “subcontractor” of a “business associate,” which effectively puts the “subcontractor” on equal footing with a “business associate.” If the vendor does not so qualify, then HIPAA does not require the “covered entity” to enter into a BAA with that vendor.
A5 Apps Status Under HIPAA
The Final Rules make clear that the A5 Fax® service provided by A5 Apps is not one that requires “covered entities” or “business associates” to enter into a BAA with A5 Apps. The Final Rules clarify that “data transmission organizations” like A5 Apps that “do not require access to [PHI] on a routine basis” are “not [to] be treated as business associates.” As the Final Rules explain, this clarification is consistent with the Department of Health and Human Services’ longstanding interpretation of the definition of “business associate” as excluding “entities that act as mere conduits for the transport of [PHI] but do not access the information other than on a random or infrequent basis.” Specifically, the Final Rules provide that such conduit services, which expressly include electronic courier services, do not entail “‘access on a routine basis’ to [PHI],” which comprises a necessary condition for “business associate” status. Furthermore, to the extent that A5 Apps must occasionally access faxes transmitted by you over A5 Apps’ network (e.g., as part of an effort to verify that our customers’ faxes are arriving at their intended destinations), the Final Rules are clear that such “occasional, random access” falls short of the requisite “routine” access. Thus, the Final Rules conclusively establish that A5 Apps is not acting as your “business associate” in providing fax transmission services to you.
1 The Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.
2 The Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009.
3 The purpose of this statement is purely informational. This statement is provided as part of A5 Apps business negotiations with you and neither constitutes nor should be viewed or relied on as legal advice by you or anyone else. Neither A5 Apps nor its attorneys are acting as your attorney.
In Light of A5 Apps’ Status, a BAA is Not Required
Because A5 Apps is not acting as your “business associate” in providing fax transmission services to you, HIPAA imposes no obligation on you (or A5 Apps) to enter into a BAA.
See this article for A5 Fax App Security Statement