First, let's clarify exemption. There is no exemption, per se, under HIPAA for traditional lockbox services. What makes HIPAA inapplicable in most cases is that the lockbox operator is not handling Protected Health Information (PHI) - - which keeps the operator outside the definition of "business associate" and hence no HIPAA coverage. It is conceivable, however, that an operator might offer its clients additional lockbox services like handling correspondence or imaging EOBs (both which may contain PHI) that could land them under the business associate definition and back under the HIPAA tent.
Now to your question. If you are a lockbox operator that makes, stores, or sends electronic data including images, then in my opinion you should still comply as a best practice with the requirements of the HIPAA security rules for the protection and transmission of data even if you believe you are not a business associate.
_________________________
Opinions are mine not my employer's, and should not be taken as legal advice.