Vendor Management, Business Associates and the HIPAA Privacy Rule

Ever since the Health Insurance Portability and Accountability Act of 1996 (HIPAA)  was enacted, health care providers have developed policies and procedures to ensure their compliance in different ways – asking new patients to sign disclosures and requiring releases to be signed whenever records are requested, are just a few examples.  Healthcare providers have always used outside contractors and professionals, like any other business, but this too has increased along with the complexity of industry practices and regulatory requirements.  Increasingly, this Protected Health Information (PHI) is being stored electronically. 

As everyone knows, systems can be hacked, computers break down, software is updated and systems change.  What happens when facility healthcare provider hires a vendor to install a new computerized medical records system, or a new computerized pharmacy system?  And what steps need taken when using an outside consultant and accountant who needs access to PHI?  Outside vendors that have or need access to PHI include the document shredding company, and janitorial staff if contracted rather than employed.  More importantly, how do healthcare providers know whether those people are also ensuring the privacy of patient data? 

The answer to these questions depends on whether the contractor qualifies as a Business Associate.  See, 45 CFR 160.103.  HIPAA defines a Business Associate as a person who, on behalf of a covered entity, "creates, receives, maintains, or transmits PHI for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities… billing, benefit management, practice management, and re-pricing."  The definition of Business Associate also includes people and contractors providing professional services to covered entities, such as "legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity" but only where the provision of such services involves the disclosure of PHI. 

HIPAA also singles out computer and IT personnel who automatically qualify as Business Associates: anyone who provides data transmission services with respect to protected health information to a covered entity, but only if they are required to access PHI on a routine basis.  A good rule of thumb in evaluating whether a vendor qualifies as a Business Associate is whether the contractor needs to access PHI in order to do the job.  If the answer to that is "yes", then it's wise to consider that person or entity a Business Associate.  If the only thing your IT contractor is doing is selling you software, then that vendor would not constitute a Business Associate.  But if the same IT contractor is merging records from one system onto another, and has to access PHI in order to do that, then the answer changes.  An electrician hired to repair wiring, likely is not; but the janitorial service that is disposing of discarded records, likely is.

Business Associates never include the covered entities' own employees, and there is a big exception to outside contractors or personnel which are performing a service "in the capacity of a member of the workforce of such covered entity."  This exception is worded carefully – they could just as easily have said "employees", but chose instead a potentially much broader and fact-specific "member of the workforce".  This allows for situations where a person who is technically not an employee of the covered entity is nevertheless given an office and treated like a member of the team. 

So What Am I Supposed To Do? 

Covered entities are required to have their Business Associates sign an Agreement that (1) describes their permitted and required uses of PHI; (2) provides that the Business Associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; and (3) requires the Business Associate to use appropriate safeguards to prevent a use or disclosure of the PHI, other than as provided by the Business Associate Agreement.  See, 45 CFR 164.504(e)(2).  This is not just a smart thing to do in order to ensure the confidentiality and integrity of your patients’ PHI, it’s required by law.  If you do not have Business Associate agreements in place with your vendors, or would like them reviewed, please contact our offices for assistance.