A FedEx driver picks up a sealed box of patient records from a hospital's loading dock every Tuesday at 3 p.m. A medical courier transports lab specimens across town in a locked container. A rideshare driver takes a patient home after outpatient surgery. All three handle something connected to protected health information — but HIPAA treats each of them very differently.
If you've ever asked under which HIPAA exception do drivers gain access to PHI without becoming a business associate, you're asking the right question. The answer hinges on a single concept most organizations get wrong: the conduit exception. And misunderstanding it has cost covered entities hundreds of thousands of dollars in enforcement actions.
The Conduit Exception: The Rule That Protects Most Drivers
The HIPAA Privacy Rule recognizes that PHI has to move from Point A to Point B. Mail carriers, couriers, and certain electronic transmission services physically handle PHI as part of delivery — but they don't access, use, or alter it. HHS specifically carved out the conduit exception for exactly this scenario.
Under the conduit exception, a transportation entity that merely moves sealed PHI — without opening, reading, or storing it beyond what's needed for transport — is not considered a business associate. This means no Business Associate Agreement (BAA) is required.
The conduit exception appears in the preamble to the 2013 HIPAA Omnibus Rule. HHS explained it plainly: entities that transport PHI but do not access it other than on a random or infrequent basis are conduits, not business associates. You can review the regulatory language directly in the HHS Combined Regulation Text.
Under Which HIPAA Exception Do Drivers Fall? A Direct Answer
Drivers fall under the conduit exception to the business associate definition when they transport sealed, secured PHI without accessing its contents. This applies to USPS mail carriers, FedEx and UPS drivers, medical couriers transporting locked containers, and similar transport services. They do not need a BAA, and the covered entity is not required to treat them as business associates — as long as the PHI remains sealed and the driver has no reason to access it.
The moment a driver routinely accesses, stores, or processes PHI beyond simple transport, the conduit exception evaporates. That driver's employer becomes a business associate, and a BAA becomes mandatory.
Where the Line Gets Dangerously Thin
I've seen organizations assume every courier is a conduit. That assumption is a compliance landmine.
Consider a medical records delivery company that stores patient files in a warehouse overnight before final delivery. That company is no longer just transporting PHI — it's maintaining it. Storage beyond what's temporarily needed for transport pushes an entity out of conduit status and squarely into business associate territory.
The same applies to drivers who log patient names, scan barcodes tied to patient identifiers, or use apps that store ePHI. If the driver or their employer's system touches identifiable health data in any meaningful way, the conduit exception no longer applies.
Rideshare and Non-Emergency Medical Transport
This is where it gets interesting. Non-emergency medical transport (NEMT) companies often receive patient names, pickup addresses, appointment details, and diagnosis codes to schedule rides. That's PHI. These companies are business associates, full stop.
A standard rideshare driver who gets a pickup ping with no health information attached? Likely a conduit. But an NEMT driver whose dispatch app displays the patient's name and reason for visit? That company needs a BAA with the covered entity.
OCR has not issued a specific enforcement action solely about NEMT drivers, but the OCR Resolution Agreements page is filled with cases where organizations failed to execute BAAs with vendors who clearly accessed PHI. The lesson applies directly.
The $1.5 Million Mistake: Ignoring Business Associate Requirements
In 2018, OCR settled with Advanced Care Hospitalists (ACH) for $500,000 after a business associate — a billing company — accessed patient records without a proper BAA in place. ACH didn't monitor the relationship, didn't have the agreement signed, and didn't discover the problem until 9,255 patients' PHI had been compromised.
Now imagine a covered entity that uses a medical courier service storing PHI overnight, scanning patient barcodes, and emailing delivery confirmations with patient identifiers — all without a BAA. That's the same regulatory failure. The conduit exception doesn't protect you when the entity you hired crosses the line from transport into data handling.
How to Determine If Your Drivers Qualify for the Conduit Exception
I walk clients through a simple three-question test:
- Does the driver or their employer access the contents of what they transport? If yes, they're not a conduit.
- Does the driver's employer store PHI beyond the time needed for delivery? If yes, they're not a conduit.
- Does the driver's technology (apps, scanners, dispatch systems) capture or display PHI? If yes, they're not a conduit.
If all three answers are no, the conduit exception likely applies. If any answer is yes, you need a BAA and the full business associate compliance apparatus — risk assessments, breach notification obligations, and workforce training for that vendor's staff.
What Covered Entities Must Do Right Now
Most healthcare organizations use some type of courier, transport, or delivery service. Here's what I tell every compliance officer I work with:
1. Audit Every Transport Relationship
List every entity that physically moves PHI for your organization. Include mail services, courier companies, NEMT providers, lab specimen transporters, and even internal drivers. Classify each one as either a conduit or a business associate using the three-question test above.
2. Execute BAAs Where Required
If a transport vendor stores, accesses, or processes PHI in any way beyond momentary delivery, get a BAA signed immediately. Document the arrangement. OCR expects you to have these agreements in place before PHI changes hands.
3. Train Your Workforce on the Distinction
Your staff — from the front desk to the loading dock — needs to understand when a driver is a conduit and when they're a business associate. They need to know that handing unsealed patient records to a courier without verifying the relationship is a compliance violation waiting to happen.
This is exactly the kind of nuance that gets lost without proper training. Our HIPAA training catalog covers business associate rules, the conduit exception, and PHI handling procedures in detail — built for the real-world scenarios your team actually faces.
4. Secure PHI Before It Leaves Your Facility
Sealed containers, locked bags, tamper-evident packaging — these aren't optional. They're what keep a transport relationship within the conduit exception. If PHI is accessible during transport because your organization didn't seal it properly, you've created the breach, not the driver.
The Breach Notification Trap Most People Miss
Here's what catches people off guard: if a conduit loses your sealed package of patient records, who has the breach notification obligation?
You do. The covered entity.
Because a conduit isn't a business associate, they have no obligation under the HIPAA Breach Notification Rule to notify you or HHS. You bear the entire burden. That's why securing PHI before transport and tracking deliveries isn't just good practice — it's your only safety net.
If the entity is a business associate with a signed BAA, they're obligated to notify you of a breach within the timeframe specified in your agreement (no later than 60 days under the HIPAA rule). That notification triggers your own 60-day clock to inform affected individuals and HHS.
Understanding these obligations is non-negotiable for compliance teams. Our workforce training programs walk through breach notification scenarios step by step, including transport-related incidents.
The Bottom Line for 2026 Compliance
Under which HIPAA exception do drivers access PHI without becoming business associates? The conduit exception — but only when transport is truly limited to moving sealed PHI from one place to another without accessing, storing, or processing it.
The moment that line is crossed, the full weight of HIPAA's business associate requirements kicks in. BAAs, risk assessments, breach notification chains, and workforce training all become mandatory.
Don't guess where your transport vendors fall. Audit the relationships. Document your conclusions. Train your people. The conduit exception is narrow by design — and OCR expects you to know exactly where you stand.