Is my vendor a HIPAA Business Associate?

Does your vendor / supplier provide services to you that use, store or have access to patient information for any medical procedures of any kind?*

Don't worry yet about what happens with it, just consider if there is any chance of seeing or accessing patient data.

Yes
No
I'm not sure

There are exceptions for specific situations but if anything you share or exchange involves a vendor being able to see a patient name, address, social security number or date of birth, they are likely a Business Associate.

- Name
- Street address
- Telephone number
- E-mail addresses
- Social Security Number
- Medical record number or other health plan account numbers
- Certificate or License Numbers
- Device identifiers and serial numbers
- Device URL’s or IP addresses

Does your vendor have access to any of the data mentioned above?*

Yes
No
I'm not sure

Vendor Services of Activities

A Business Associates as defined by HIPAA regulations cover a broad spectrum of activity. Below are a list of services that often involve Business Associates:

- accounting
- accreditation
- actuarial
- administrative
- application support services
- consulting
- data aggregation
- data storage services
- financial services
- legal
- management
- physical or electronic data storage
- shredding services
- technology support services

And here is a list of some activities that may be performed a Business Associate or Subcontractor:

- benefit management
- billing
- claims processing or administration
- data analysis, processing, or administration
- data storage services - patient safety activities
- practice management
- quality assurance
- repricing
- utilization review

Do your vendors or subcontractors provide any of the these services or activities?*

Yes, they perform one or more of these services
No, their services do not fall within these guidelines

Access, Controls, and Exceptions

Any company that stores patient information, even encrypted, is now considered a Business Associate (BA) under the 2013 rules. Simply having persistent access to the protected information is all that matters. The key for determining exceptions that might apply is defining the transient vs persistent nature of access. If the access to data or the level of access to the data is very rare, very brief in nature and then removed, they may not be a BA. If, however, access to the data is always present, then consider them to be a BA. Even if they claim they have no need to see the data, the fact that it consistently ‘available’ makes them a BA. The Final Rule specifically states that a data storage company is a BA even if they store the data in an encrypted format - what matters is it is always on their servers.

- My vendor stores patient information on their servers
- To provide support services, they must have administrative rights to our systems that access or store patient information
- They never access patient information electronically

Based on the information above, which of the following is true about your vendor?*

My vendor stores patient information on their servers
To provide support services, they must have administrative rights to our systems that access or store patient information
They never access patient information electronically

Incidental exposure to PHI

There are exceptions for entities that function as conduits. Those exceptions apply to companies that transmit but never hold access to data.

- Courier services, US Post office, etc also fall under the conduit exception.
- Your phone company has PHI go over their lines but it isn't there for any amount of time and they have no need to see it as it goes by their systems. However, consider whether your telecom service providers or technicians ever have access to your voicemail or data transmissions.
- Who maintains your copier and fax equipment? Can service technicians access data during maintenance, repairs or at the end of a lease term?
- A cleaning service, for example, may never see patient information that is locked away and they are only around it when cleaning the office during normal business hours. Any work they do shouldn't put them in direct contact with patient information except by complete accident and then it wouldn't be the entire patient database. However, consider whether the physical and technical safeguards you have in place are absolutely secure if service is performed after normal business hours.

Which statement below would be true regarding your vendors access to PHI?*

I am absolutely certain access to PHI would be limited and incidental
Although they do not perform the services of a BA, there may not be sufficient controls in place that completely restrict access to patient data

Your vendor would be considered a Business Associate defined by HIPAA standards.

Your vendor may not be a Business Associate defined by HIPAA standards. However, be certain to consider the physical and technical safeguards you have in place. Addressing confidentiality is also strongly recommended.

Vendor Services of Activities

Access, Controls, and Exceptions

Incidental exposure to PHI

Your vendor would be considered a Business Associate defined by HIPAA standards.

Your vendor may not be a Business Associate defined by HIPAA standards. However, be certain to consider the physical and technical safeguards you have in place. Addressing confidentiality is also strongly recommended.

2025 PriSec boot camp