Post Date: July 8, 2026 ┃

When are Medical Couriers Considered HIPAA Business Associates?

Medical couriers are always considered HIPAA Business Associates when they transport Protected Health Information on behalf of a HIPAA covered entity, because they are assumed by regulators to have operational access to PHI as an inherent feature of their service. No medical courier delivery arrangement, operational structure, or service description removes that classification or places a medical courier outside the Business Associate compliance framework.

The conduit exception that excludes purely passive transmission services from Business Associate status does not apply to medical couriers, because couriers exercise physical custody and operational control over materials that contain PHI during collection, transport, and delivery in ways that go beyond the narrow transmission function the exception was designed to address. A medical courier organization that has not executed a Business Associate Agreement with each covered entity it serves is disclosing PHI without a lawful basis for that disclosure, and both parties carry regulatory exposure as a result. The HIPAA Journal’s HIPAA Certification for Medical Couriers gives individual medical couriers documented proof that they understand the HIPAA rules and regulations applicable to their role.

Are you a Self Employed Medical Courier?

Learn about HIPAA Certification for Medical Couriers or make a single seat course purchase of our HIPAA Certification for Medical Couriers course

Learn More

Do you Need HIPAA Training for Your Employees?

Learn more about HIPAA Training for Medical Couriers or purchase multiple seats of our HIPAA for Medical Courier Employees Course

Learn More

PJ Murray

Author: PJ Murray

PJ Murray is the founder and publisher of The HIPAA Journal. He has more than 10 years of experience writing about HIPAA, healthcare compliance, patient privacy, and the protection of medical records. Through The HIPAA Journal, PJ helps healthcare organizations, business associates, and their employees better understand HIPAA regulations, reduce compliance risks, and strengthen the safeguards used to protect patient information. PJ has a background in software development, holds an engineering degree, and specializes in the cybersecurity aspects of HIPAA compliance, including data security, medical record protection, and workforce training. He has also played a leading role in the development and launch of The HIPAA Journal Training, which provides HIPAA and cybersecurity training for healthcare organizations, business associates, students, and healthcare-related workforces. His work focuses on making complex regulatory and technical requirements easier for healthcare professionals and organizations to understand and apply in practice.
You can connect at LinkedIn.