Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices

Health care providers and health insurance companies are generally aware that when protected health information (“PHI”) is disclosed to a vendor, such as an attorney, consultant or cloud data storage firm, a business associate agreement is necessary to comply with HIPAA and to safeguard the information disclosed. However, not all vendors will be business associates, even when such vendors may have potential access to PHI, and health care providers and insurers often struggle with how to manage risks to PHI in these relationships. The following FAQs address these issues and my solutions for managing and mitigating risk in an efficient and cost-effective manner.

Who are non-business associate vendors?
Generally, a vendor is not a business associate if it does not receive, use, disclose or maintain PHI. The key risk though is that these vendors may still have potential access to an organization’s PHI. Examples include the following:

  • An IT vendor that will have access to hospital information systems to install, update or maintain malware protection.
  • A cleaning service which has access to staff offices, medical record rooms or other areas in which PHI may exist.
  • A software company that licenses a locally hosted program that utilizes or processes PHI, and that may need access to local information systems for installation or troubleshooting.
  • A consultant who is granted limited access to quality, compliance or other internal reports that include only aggregate information but who may be working in a medical records storage area or be logged into the local network.

What harm can these vendors cause?
Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws. Let us consider a recent example to illustrate the importance of addressing data privacy and HIPAA concerns with vendors who are not business associates:

Health care provider engages a local IT security firm to install patches. Parties agree that vendor is not a business associate. While in the provider’s information system, a newly hired vendor employee stumbles upon locally maintained patient and employee records. Bored, he starts reviewing the records and finds a former classmate of his. He copies the records to a USB drive and emails the records to the former classmate. Several weeks later, the former classmate contacts the state attorney general and says “look what the provider gave [the employee] access to.” Vendor employee failed to appreciate the seriousness of the access (no privacy training provided), was under no obligation to report the access to employer, and vendor had no obligation to notify, indemnify, reimburse or cooperate with the provider.

Provider was found to be in violation of both HIPAA and state privacy law and regulators required an extensive corrective action plan.

What strategies should a health care provider or insurer pursue to manage the risk caused by non-business associate vendors?

I generally advise clients to pursue a 3-part strategy addressing organizational policies, due diligence and confidentiality agreements:

  1. Organizational Policies: Avoid limiting privacy and security policies to only HIPAA compliance – while very important, HIPAA is not the only privacy and security concern a health care provider or insurer should have. Policies should also consider proprietary information, trade secrets and state privacy laws. Further, ensure that privacy and security polices apply to all vendors, not merely those subject to HIPAA.
  2. Due Diligence: Consider implementing a vendor-screening tool as part of your contracting process and make data privacy and security a factor when choosing vendors. The purpose of the screening tool is to obtain vendor assurances regarding privacy, receive comfort that the vendor is cognizant of and is addressing privacy concerns and to periodically monitor vendor privacy efforts (such as through annual certifications).
  3. Confidentiality Agreements: Develop a specific template confidentiality agreement for non-business associate vendors, the terms of which should reflect the risk profile of the organization (Note: a standard non-disclosure agreement is generally insufficient for this purpose). Ensure a focus on confidentiality obligations, compliance with laws and policies, incident reporting and reimbursement.

15 comments on “Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices”

  1. I found the article interesting but a somewhat incorrect interpretation of the HITECH and the Final Omnibus Rule. The rule state “create, maintain, transfer or receive” of PHI. The cleaning firm should no be a Business Associate. That be said an outsource IT firm and a SaaS software provider are definitely Business Associates. The reality is “access” is a key factor as well as dealing with the life cycle of PHI in which both parties are involved.
    The only type of vendor who does not need a BAA is one with no access the the information, there no such thing as being a little pregnant.

    1. An outsource IT firm and a Saas Provider are not “definitely” BAs – they are only BAs if given access to PHI. One must take a much more nuanced approach to a BA analysis and consider the particular facts and circumstances. For example, a vendor may have access to an IT system but not have access to PHI. This would be similar to the cleaning service that may have access to a medical records room but which is not given access to PHI. As you acknowledge, there is no need for a BAA if there is no access of PHI – everything you say is consistent with the article. I encourage you to take a closer look at vendor arrangements and address privacy and security issues in light of the particular circumstances. Hope this helps.

  2. With all due respect, from my experience when you have an outsource IT firm they have access to PHI. The also manage the hardware. So who has the responsibility for data destruction? Who has administrative rights?
    With a cleaning contractor, if the CE is properly handling PHI, there is no access to information. With an IT vendor most likely they are managing the encryption software (if it exists). They are managing the infrastructure, the software updates, for my clients I recommend a signed BAA, because when there is a breach, OCR is going to be question why there was not one in place.

    1. Cleaning services may have access to PII or PHI through documentation which may not be considered critical enough to be destroyed or shredded. There are organizations that have bins where paper is placed and then once or twice a week the paper boxed to be shredded . Until that is done many folks have access to the PII or PHI. There has been an audit and fine by OCR for not encrypting or destroying information stored on a copier machine device before trading it out for new equipment. It is critical in meeting the Omnibus Rule to think out of the box in creating process and workflow to sustain a breach and an OCR audit.

  3. I was like to know if my daughter’s high school nurse and her assistant are held to these same standards. My daughters privacy was completely disregarded. Which might now potentially lead to bullying all because the nurse didn’t have any regard for privacy. I hAve left a voicemail and sent an email to the school superintendent office. No response. Two days later a caseworker showed up with a complaint filed by tbis sOme school murze.

    1. Look up the Family Educational Rights and Privacy Act (FERPA). FERPA prohibits the disclosure of a student’s “protected information” to a third party. This disclosure is prohibited whether it is made by hand delivery, verbally, fax, mail, or electronic transmission. For purposes of FERPA, a “third party” includes any individual or organization other than the student or the student’s parent(s).

  4. When an IT vendor (A) provides access to another vendor (B) at the request of a common customer, is a BAA required between A&B? Thanks.

  5. Should the vendor (an IT HIPAA consultant and network administrator) disclose his criminal record to clients? Is it a violation to intentionally omit disclosing the criminal record?

  6. Can an employer request that employees give there doctors appointment time in and out, and what the diagnosis was. And can they call or come by your doctors office to ask questions about a patient. Thanks

  7. I was admitted into the VA hospital for pneumonia and two viruses in my lungs after working as an over the road truck driver all year. (I am currently unemployed). During my stay in the VA hospital I was put on a cpap for obstructive sleep apnea and oxygen dependent. I was prescribed two blood pressure medications and aspirin. Yes, at first I was in serious condition but not enough to effect my driving nor did my primary care doctor say that I was incapable of driving a motor vehicle. After I as released from the VA hospital continually drove to and from my doctor appointments …My question is after a few months I was forced to apply for social security disability. The funds were running dry. Social Security disability sent me a letter stating that I must see a doctor of their choice to determine whether I meet the requirements for disability benefits. My question is – IS the social security doctor allowed to give my medical information out to a third party (the department of motor vehicles)…as a reminder, the social security doctor is NOT my primary care doctor and his decision of my medical condition was only to review the medical findings and report to social security as per the letter I received from social security. Do I have any Civil Confidentiality at all in this? If so could you please advise me of any rules or regulations regarding outside doctor-patient confidentiality to a third party.

  8. I was receiving counseling services from a agency in Delaware county PA and my HIPPA rights were violated by the worker assigned to me. Her name was Hanniel King and the agency she worked for was Peer-Star. She disclosed personnel information to my landlord which was false. She did this because I told her I did not want to work with her anymore because instead of making sure I had a safe place to live, She started making plans with my landlord to house inmates that her agency also did services for in the house I was currently living in. I told her it made me feel uncomfortable to hear her discussing this in my presence and that I had little confidence at this point that her main concern was me and my grandson, who I have custody of. I first contacted the agency because I had recently had spinal fusion surgery and I was having a hard time in my recovery from that surgery. Just two days after I spoke to her, my landlord drove down from New York and entered eviction papers for my family. I was current in my rent at this time and at the eviction hearing the landlord talked about why did I have to stop working with Hanniel, it seemed she was angry about that. I feel why did Ms. King even relay this information to her after I let her know I had no wish to work with her on Tuesday, May 15th. The eviction order was put in on Thursday May 17th leading me to believe she spoke to my landlord about me after I let her know I did not want her as a counselor anymore. This seems to me to be a violation of my HIPPA rights. My grandson and I are at risk of becoming homeless because of her malicious act. Where do I file a complaint about this? You go to an agency for help at a crisis that is happening in your life and a person entrusted with your information uses it to harm you.

Leave a Reply

Your email address will not be published. Required fields are marked *