Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices

Health care providers and health insurance companies are generally aware that when protected health information (“PHI”) is disclosed to a vendor, such as an attorney, consultant or cloud data storage firm, a business associate agreement is necessary to comply with HIPAA and to safeguard the information disclosed. However, not all vendors will be business associates, even when such vendors may have potential access to PHI, and health care providers and insurers often struggle with how to manage risks to PHI in these relationships. The following FAQs address these issues and my solutions for managing and mitigating risk in an efficient and cost-effective manner.

Who are non-business associate vendors?
Generally, a vendor is not a business associate if it does not receive, use, disclose or maintain PHI. The key risk though is that these vendors may still have potential access to an organization’s PHI. Examples include the following:

  • An IT vendor that will have access to hospital information systems to install, update or maintain malware protection.
  • A cleaning service which has access to staff offices, medical record rooms or other areas in which PHI may exist.
  • A software company that licenses a locally hosted program that utilizes or processes PHI, and that may need access to local information systems for installation or troubleshooting.
  • A consultant who is granted limited access to quality, compliance or other internal reports that include only aggregate information but who may be working in a medical records storage area or be logged into the local network.

What harm can these vendors cause?
Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws. Let us consider a recent example to illustrate the importance of addressing data privacy and HIPAA concerns with vendors who are not business associates:

Health care provider engages a local IT security firm to install patches. Parties agree that vendor is not a business associate. While in the provider’s information system, a newly hired vendor employee stumbles upon locally maintained patient and employee records. Bored, he starts reviewing the records and finds a former classmate of his. He copies the records to a USB drive and emails the records to the former classmate. Several weeks later, the former classmate contacts the state attorney general and says “look what the provider gave [the employee] access to.” Vendor employee failed to appreciate the seriousness of the access (no privacy training provided), was under no obligation to report the access to employer, and vendor had no obligation to notify, indemnify, reimburse or cooperate with the provider.

Provider was found to be in violation of both HIPAA and state privacy law and regulators required an extensive corrective action plan.

What strategies should a health care provider or insurer pursue to manage the risk caused by non-business associate vendors?

I generally advise clients to pursue a 3-part strategy addressing organizational policies, due diligence and confidentiality agreements:

  1. Organizational Policies: Avoid limiting privacy and security policies to only HIPAA compliance – while very important, HIPAA is not the only privacy and security concern a health care provider or insurer should have. Policies should also consider proprietary information, trade secrets and state privacy laws. Further, ensure that privacy and security polices apply to all vendors, not merely those subject to HIPAA.
  2. Due Diligence: Consider implementing a vendor-screening tool as part of your contracting process and make data privacy and security a factor when choosing vendors. The purpose of the screening tool is to obtain vendor assurances regarding privacy, receive comfort that the vendor is cognizant of and is addressing privacy concerns and to periodically monitor vendor privacy efforts (such as through annual certifications).
  3. Confidentiality Agreements: Develop a specific template confidentiality agreement for non-business associate vendors, the terms of which should reflect the risk profile of the organization (Note: a standard non-disclosure agreement is generally insufficient for this purpose). Ensure a focus on confidentiality obligations, compliance with laws and policies, incident reporting and reimbursement.

7 comments on “Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices”

  1. I found the article interesting but a somewhat incorrect interpretation of the HITECH and the Final Omnibus Rule. The rule state “create, maintain, transfer or receive” of PHI. The cleaning firm should no be a Business Associate. That be said an outsource IT firm and a SaaS software provider are definitely Business Associates. The reality is “access” is a key factor as well as dealing with the life cycle of PHI in which both parties are involved.
    The only type of vendor who does not need a BAA is one with no access the the information, there no such thing as being a little pregnant.

    1. An outsource IT firm and a Saas Provider are not “definitely” BAs – they are only BAs if given access to PHI. One must take a much more nuanced approach to a BA analysis and consider the particular facts and circumstances. For example, a vendor may have access to an IT system but not have access to PHI. This would be similar to the cleaning service that may have access to a medical records room but which is not given access to PHI. As you acknowledge, there is no need for a BAA if there is no access of PHI – everything you say is consistent with the article. I encourage you to take a closer look at vendor arrangements and address privacy and security issues in light of the particular circumstances. Hope this helps.

  2. With all due respect, from my experience when you have an outsource IT firm they have access to PHI. The also manage the hardware. So who has the responsibility for data destruction? Who has administrative rights?
    With a cleaning contractor, if the CE is properly handling PHI, there is no access to information. With an IT vendor most likely they are managing the encryption software (if it exists). They are managing the infrastructure, the software updates, for my clients I recommend a signed BAA, because when there is a breach, OCR is going to be question why there was not one in place.

    1. Cleaning services may have access to PII or PHI through documentation which may not be considered critical enough to be destroyed or shredded. There are organizations that have bins where paper is placed and then once or twice a week the paper boxed to be shredded . Until that is done many folks have access to the PII or PHI. There has been an audit and fine by OCR for not encrypting or destroying information stored on a copier machine device before trading it out for new equipment. It is critical in meeting the Omnibus Rule to think out of the box in creating process and workflow to sustain a breach and an OCR audit.

  3. I was like to know if my daughter’s high school nurse and her assistant are held to these same standards. My daughters privacy was completely disregarded. Which might now potentially lead to bullying all because the nurse didn’t have any regard for privacy. I hAve left a voicemail and sent an email to the school superintendent office. No response. Two days later a caseworker showed up with a complaint filed by tbis sOme school murze.

    1. Look up the Family Educational Rights and Privacy Act (FERPA). FERPA prohibits the disclosure of a student’s “protected information” to a third party. This disclosure is prohibited whether it is made by hand delivery, verbally, fax, mail, or electronic transmission. For purposes of FERPA, a “third party” includes any individual or organization other than the student or the student’s parent(s).

Leave a Reply

Your email address will not be published. Required fields are marked *