The HIPAA Final Omnibus Rule has an extensive explanatory discussion by the Department of Health and Human Services (HHS). It talks about the “mere conduit” exception, where a service provider only passes through protected health information. A phone-only service would be a mere conduit. But with voicemail and call recording—two facets of most VoIP-enabled unified communications services—it goes beyond that. HHS emphasized that persistent data storage means an entity is “maintaining” protected health information, and thus triggers Business Associate status. Also, HHS says in that document that the mere conduit exception is a narrow one. So, there is no doubt that HHS is going to conclude that VoIP providers’ services are HIPAA-regulated, and “conduit service” is not going to get anyone off the hook. Companies doing business with non-compliant VoIP providers are probably not going to “get a break” on this one, either.