Tag Archive for: vendor agreements

Business Associates vs. Vendors

/in /by

Most covered entities have business relationships with vendors or service providers that fall into the category of business associates, as defined by HIPAA rules. The factor that will decide whether or not there is a business associate relationship with a particular service provider is whether the individual or entity handles protected health information (PHI) as part of the services that they provide to the practice. 

Business Associates

Following is a definition of a business associate, according to the Privacy Rule:

Business Associates – In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. 

Examples of business associates include:

  • Companies that help doctors get paid for providing health care, including billing or collection companies and companies that process health care claims
  • People like outside lawyers, accountants and IT specialists (if their work requires access to or disclosure of PHI)
  • Companies that store or destroy medical records, such as shredding companies, storage facilities (for paper records) and cloud-based data storage vendors (for electronic records)
  • Companies that provide data transmission services with respect to PHI, such as secure email or Internet-based fax services
  • Voice Over Internet Protocol (VOIP) phone service providers
  • Companies that provide phone answering, mailing or transcription services

It is not necessary that the entity use the protected health information, but only that your practice intentionally provides access to or discloses it to the business associate as part of the service relationship. For example, although a cloud-based data storage company may simply store data (that contains PHI) for the practice and does not use it, the covered entity has made an intentional disclosure of PHI to the company and in turn it is providing the service of storage to the covered entity. Therefore, the data storage company is considered a business associate subject to HIPAA rules. It is very important to establish a written Business Associate Agreement with such entities prior to disclosing PHI to them.

Vendors

There are some entities that may have inadvertent access to PHI due to their presence in your practice, such as janitorial staff or a pharmaceutical rep, that are not considered business associates. In most cases these vendors will only have incidental access, such as overhearing a part of a conversation concerning a patient or seeing a patient’s name on a chart. Protected health information is not intentionally disclosed to these entities, nor are they provided with persistent access to it. And, as long as the covered entity has reasonable safeguards in place and these disclosures are limited in nature, they are not a violation of HIPAA Rules. 

For complete information regarding business associate agreements and vendor confidentiality agreements, please refer to the article on page 5 of the May issue of the American Practice Advisor® titled “Business Associate vs. Vendor Confidentiality Agreements.”

Confidentiality Agreements with Vendors

/in /by

Vendors that do not access, use, or disclose patient information will not be considered business associates.

There are certain types of vendors that do not require access to patient information in order to perform a service for your practice.  Vendors that do not access, use, or disclose patient information will not be considered business associates. It would be a mistake to have them sign a business associate agreement, because such an agreement involves obligations that do not apply to a vendor that you do not intentionally provide with access to patient information. However, if a vendor will not be supervised (and works in areas where patient information could be accessed), or comes into the facility after hours when no one is there, there are steps you should take to protect the confidentiality of patient information.

Neither the Privacy Rule nor Security Rule specifically mandates the use of a “Vendor Confidentiality Agreement” with vendors that are not business associates.  However, the agreement is designed to help you ensure that your PHI is not improperly accessed, used, or disclosed by the vendor.  A signed confidentiality agreement demonstrates that you have taken steps to inform the vendor that any incidentally viewed PHI must be kept confidential and not used or disclosed.

The most common examples of vendors that should sign a Confidentiality Agreement are contracted cleaning services and landlords, because they often come into the facility when you are not there.  If you have a cleaning service, but they are only present when you are in the facility, or your landlord never enters without you being present, a vendor confidentiality agreement may not be necessary.

Similarly, an agreement is not needed with vendors such as pharmaceutical reps, who come into the practice, are escorted to a location to meet with someone, and are supervised during their visit.  However, if the rep stocks sample cabinets independently, and those cabinets are located in areas in which patient information could be viewed, then it would be wise to put a vendor confidentiality agreement in place.

Other safeguards to consider include:

  • not leaving patient information out on desks, particularly after hours;
  • placing documents containing patient information into locked cabinets whenever possible;
  • emptying shredding bins into a secure area at the end of every work shift;
  • logging off all workstations when walking away from the station and at the end of the work shift (automatic logoff may also be in place);
  • having blur screens or shields in place on workstations that are in publicly accessible areas.

Take a moment to assess your vendors to determine whether there are any with which you should have a Vendor Confidentiality Agreement.  If you are a subscriber to the HIPAA Compliance System, you have Form 7.12, Vendor Confidentiality Agreement for this purpose.