On my previous post, I left open the question of whether UPS is on the hook under HIPAA for the box of medical records that ended up in a paper scrap resale warehouse.  The brief response is not under HIPAA. 

The federal government has expressly stated that mail carriers are not considered business associates under the HIPAA Privacy Rule when they handle protected health information on behalf of a covered entity provider.  The federal government addressed this exact issue in its guidance document published on December 3, 2002.  There, the question posed and government’s answer were as follows:

Q:  Are the following entities considered "business associates" under the HIPAA Privacy Rule:  US Postal Service, United Parcel Service, delivery truck line employees and/or their management?

A:  No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information.  A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law.  Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.

As such, UPS had no direct legal obligation under HIPAA or as a Business Associate to safeguard the medical records in the hospital’s box.  A covered entity may, however, attempt to impose additional obligations on its delivery service carriers through contract terms, if possible.