Don't worry yet about what happens with it, just consider if there is any chance of seeing or accessing patient data.
- There are exceptions for specific situations but if anything you share or exchange involves a vendor being able to see a patient name, address, social security number or date of birth, they are likely a Business Associate.
- Street address
- Telephone number
- E-mail addresses
- Social Security Number
- Medical record number or other health plan account numbers
- Certificate or License Numbers
- Device identifiers and serial numbers
- Device URL’s or IP addresses
Vendor Services of Activities
A Business Associates as defined by HIPAA regulations cover a broad spectrum of activity. Below are a list of services that often involve Business Associates:
And here is a list of some activities that may be performed a Business Associate or Subcontractor:
- application support services
- data aggregation
- data storage services
- financial services
- physical or electronic data storage
- shredding services
- technology support services
- benefit management
- claims processing or administration
- data analysis, processing, or administration
- data storage services
- patient safety activities
- practice management
- quality assurance
- utilization review
Access, Controls, and Exceptions
Any company that stores patient information, even encrypted, is now considered a Business Associate (BA) under the 2013 rules. Simply having persistent access to the protected information is all that matters.
The key for determining exceptions that might apply is defining the transient vs persistent nature of access. If the access to data or the level of access to the data is very rare, very brief in nature and then removed, they may not be a BA. If, however, access to the data is always present, then consider them to be a BA. Even if they claim they have no need to see the data, the fact that it consistently ‘available’ makes them a BA. The Final Rule specifically states that a data storage company is a BA even if they store the data in an encrypted format - what matters is it is always on their servers.
- My vendor stores patient information on their servers
- To provide support services, they must have administrative rights to our systems that access or store patient information
- They never access patient information electronically
Incidental exposure to PHI
There are exceptions for entities that function as conduits. Those exceptions apply to companies that transmit but never hold access to data.
- Courier services, US Post office, etc also fall under the conduit exception.
- Your phone company has PHI go over their lines but it isn't there for any amount of time and they have no need to see it as it goes by their systems. However, consider whether your telecom service providers or technicians ever have access to your voicemail or data transmissions.
- Who maintains your copier and fax equipment? Can service technicians access data during maintenance, repairs or at the end of a lease term?
- A cleaning service, for example, may never see patient information that is locked away and they are only around it when cleaning the office during normal business hours. Any work they do shouldn't put them in direct contact with patient information except by complete accident and then it wouldn't be the entire patient database. However, consider whether the physical and technical safeguards you have in place are absolutely secure if service is performed after normal business hours.
Your vendor would be considered a Business Associate defined by HIPAA standards.
Your vendor may not be a Business Associate defined by HIPAA standards. However, be certain to consider the physical and technical safeguards you have in place. Addressing confidentiality is also strongly recommended.