Health care providers and health insurance companies are generally aware that when protected health information (“PHI”) is disclosed to a vendor, such as an attorney, consultant or cloud data storage firm, a business associate agreement is necessary to comply with HIPAA and to safeguard the information disclosed. However, not all vendors will be business associates, even when such vendors may have potential access to PHI, and health care providers and insurers often struggle with how to manage risks to PHI in these relationships. The following FAQs address these issues and my solutions for managing and mitigating risk in an efficient and cost-effective manner.
Who are non-business associate vendors?
Generally, a vendor is not a business associate if it does not receive, use, disclose or maintain PHI. The key risk though is that these vendors may still have potential access to an organization’s PHI. Examples include the following:
- An IT vendor that will have access to hospital information systems to install, update or maintain malware protection.
- A cleaning service which has access to staff offices, medical record rooms or other areas in which PHI may exist.
- A software company that licenses a locally hosted program that utilizes or processes PHI, and that may need access to local information systems for installation or troubleshooting.
- A consultant who is granted limited access to quality, compliance or other internal reports that include only aggregate information but who may be working in a medical records storage area or be logged into the local network.
What harm can these vendors cause?
Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws. Let us consider a recent example to illustrate the importance of addressing data privacy and HIPAA concerns with vendors who are not business associates:
Health care provider engages a local IT security firm to install patches. Parties agree that vendor is not a business associate. While in the provider’s information system, a newly hired vendor employee stumbles upon locally maintained patient and employee records. Bored, he starts reviewing the records and finds a former classmate of his. He copies the records to a USB drive and emails the records to the former classmate. Several weeks later, the former classmate contacts the state attorney general and says “look what the provider gave [the employee] access to.” Vendor employee failed to appreciate the seriousness of the access (no privacy training provided), was under no obligation to report the access to employer, and vendor had no obligation to notify, indemnify, reimburse or cooperate with the provider.
Provider was found to be in violation of both HIPAA and state privacy law and regulators required an extensive corrective action plan.
What strategies should a health care provider or insurer pursue to manage the risk caused by non-business associate vendors?
I generally advise clients to pursue a 3-part strategy addressing organizational policies, due diligence and confidentiality agreements:
- Organizational Policies: Avoid limiting privacy and security policies to only HIPAA compliance – while very important, HIPAA is not the only privacy and security concern a health care provider or insurer should have. Policies should also consider proprietary information, trade secrets and state privacy laws. Further, ensure that privacy and security polices apply to all vendors, not merely those subject to HIPAA.
- Due Diligence: Consider implementing a vendor-screening tool as part of your contracting process and make data privacy and security a factor when choosing vendors. The purpose of the screening tool is to obtain vendor assurances regarding privacy, receive comfort that the vendor is cognizant of and is addressing privacy concerns and to periodically monitor vendor privacy efforts (such as through annual certifications).
- Confidentiality Agreements: Develop a specific template confidentiality agreement for non-business associate vendors, the terms of which should reflect the risk profile of the organization (Note: a standard non-disclosure agreement is generally insufficient for this purpose). Ensure a focus on confidentiality obligations, compliance with laws and policies, incident reporting and reimbursement.