Most health care providers do not carry out all their health care activities and functions by themselves. The HIPAA Privacy Rule applies only to covered entities. However, it does allow providers to disclose certain protected health information to business associates. If a provider contract any services the provider must obtain assurances that the business associate will use the information for the intended purposes and will safeguard the information from misuse. Some examples of a business associate are a medical billing company, an independent medical transcriptionist, a CPA that has access to PHI and an IT company. A more comprehensive list can be found at the Health and Human services website, here. These lines can be blurry but a good rule of thumb is if a business or person has access to a computer within your practice that houses PHI they should be considered a business associate. And, should, in turn, be willing to sign a BAA.

This is a guest post written by Jennifer Bates, on behalf of HIPAAStrategies.

If the business is not willing to sign a BAA it should send up red flags. According to the OCR portal breach report, which reports breaches that affect 500 people or more, 10 business associates have had breaches in 2017. That number might not seem large but many more have been reported on a smaller scale. And, if you are affected by one you will surely be audited. The top causes of breaches are theft, unauthorized access/disclosure and Hacking/IT. Careless use of equipment is the top reason for data breaches. As a covered entity, you can’t know what your vendors are doing with equipment, control how they train their staff, allow staff access to PHI or monitor their IT infrastructure to ensure strong firewalls, passwords, etc. What you can do is be vigilant in obtaining documentation that they comply with the law.

How do you find out if your vendor is compliant? First, a simple risk level evaluation is a great tool in seeing how compliant your vendors are. It does not have to be a full risk assessment, but asking simple questions of the vendor will quickly tell you if they have thought about compliance. Monitoring your vendors for risk assessments also helps. They should be able to produce a risk assessment if you ask. You should be able to see that it is mitigated and kept up to date.

As mentioned earlier, the BAA is the cornerstone of the business associate relationship. BAA’s contain standard language as required by HIPAA. But, practices may have certain needs that extend beyond a generic BAA. Those needs always should be included. Don’t just use other companies BAA. Have your own drafted and if needed negotiate with the company as to what needs to be included.

Common Misconceptions about Business Associates

• Vendors don’t need to be HIPAA compliant because they aren’t storing data. If a vendor even has access to data or potential access to data they still need to be HIPAA compliant. For example, an IT company does not have access to the EHR or patient records but they do have access to computers where those are stored. There would need to be a BAA in place.
• The practice won’t be responsible for a HIPAA violation if it is the vendor’s fault. False, the HIPAA Privacy rule states that you are responsible for your patients’ data. If a vendor is breached you will also be liable for an audit.
• Subcontractors do not need to be HIPAA compliant. The new rule requires subcontractors that manage or maintain patient data to also be compliant. If you hire an IT company to manage backups and they outsource the backups. The outsourced company must also be compliant and willing to sign a BAA.
• The practice is small and uses other small business’ as vendors. There is no size specification in the HIPAA final rule as to the size and scope of the practice in terms of vendor size. All practices and BAA’s regardless of size must comply with the rule.
• Cleaning and maintenance employees are business associates. False, you may want to give these people confidentiality agreements but these employees are not actively transmitting or storing PHI. On another note, your office should be locking up any access to PHI nightly so these types of vendors do not have access.

Maintaining Vendor Compliance

It’s useful to document all HIPAA activities. Especially those that you lose control over when PHI leaves the office. If you were to incur an audit because of a vendor breach having a documented trail of compliance with vendors will establish a pattern of compliance in your practice. Implement a workflow that can automatically send vendors risk evaluations, BAA’s and other important documents. Store documents in a manner that can be time and date stamped and cataloged. Make your vendors aware that you expect compliancy on all levels. If they are unwilling to sign the BAA don’t do business with them.

Your practices’ compliance with the HIPAA Privacy and Security rules isn’t enough. Make sure you’re using compliant vendors when dealing with PHI. Knowing their level of compliance will ensure your business’ protection.