Confidentiality Agreements with Vendors

Vendors that do not access, use, or disclose patient information will not be considered business associates.

There are certain types of vendors that do not require access to patient information in order to perform a service for your practice.  Vendors that do not access, use, or disclose patient information will not be considered business associates. It would be a mistake to have them sign a business associate agreement, because such an agreement involves obligations that do not apply to a vendor that you do not intentionally provide with access to patient information. However, if a vendor will not be supervised (and works in areas where patient information could be accessed), or comes into the facility after hours when no one is there, there are steps you should take to protect the confidentiality of patient information.

Neither the Privacy Rule nor Security Rule specifically mandates the use of a “Vendor Confidentiality Agreement” with vendors that are not business associates.  However, the agreement is designed to help you ensure that your PHI is not improperly accessed, used, or disclosed by the vendor.  A signed confidentiality agreement demonstrates that you have taken steps to inform the vendor that any incidentally viewed PHI must be kept confidential and not used or disclosed.

The most common examples of vendors that should sign a Confidentiality Agreement are contracted cleaning services and landlords, because they often come into the facility when you are not there.  If you have a cleaning service, but they are only present when you are in the facility, or your landlord never enters without you being present, a vendor confidentiality agreement may not be necessary.

Similarly, an agreement is not needed with vendors such as pharmaceutical reps, who come into the practice, are escorted to a location to meet with someone, and are supervised during their visit.  However, if the rep stocks sample cabinets independently, and those cabinets are located in areas in which patient information could be viewed, then it would be wise to put a vendor confidentiality agreement in place.

Other safeguards to consider include:

  • not leaving patient information out on desks, particularly after hours;
  • placing documents containing patient information into locked cabinets whenever possible;
  • emptying shredding bins into a secure area at the end of every work shift;
  • logging off all workstations when walking away from the station and at the end of the work shift (automatic logoff may also be in place);
  • having blur screens or shields in place on workstations that are in publicly accessible areas.

Take a moment to assess your vendors to determine whether there are any with which you should have a Vendor Confidentiality Agreement.  If you are a subscriber to the HIPAA Compliance System, you have Form 7.12, Vendor Confidentiality Agreement for this purpose.