Most of us know by now that the HIPAA Omnibus Rule is law and it impacts everyone in the healthcare industry. With increased penalties, enforcement, requirements, and reach, if you haven’t started paying attention to it yet, you do so at your own peril. If you’ve begun to travel down the path to compliance, whether you’ve hired a professional company or you’re braving it on your own, one of the considerations you’ll encounter is how to classify your various vendors. Properly identifying, documenting, and managing your vendor relationships could shift the burden of liability in event of a breach from your organization to your vendor.
1. Are they a business associate? A business associate can be broadly and briefly defined as a vendor that comes into contact with, and interacts with, personal health information (PHI) in the normal course of providing their services to you. Those vendors need to sign a current (and Omnibus-compliant) business associate agreement. This affords you the greatest level of protection from vendor behavior, but there is more to consider.
2. Is your business associate an agent or an independent contractor? The Omnibus Rule introduced the concept of agency into the vendor relationship equation. The body of law and precedent governing agency relationships is extensive and deep, and while you don’t need to be an expert, you need to understand the basics. Essentially, how actively engaged you are in the work of your vendor matters. If your vendor is deemed to be an agent of your organization, as opposed to an independent contractor, then their liability can pass through to you.
For example, let’s take a billing company. If your billing company (a business associate) provides their services to you with very little management on your end, in all likelihood they would be considered an independent contractor; if they suffer a breach, it’s unlikely to be your responsibility. By contrast, if you actively manage this billing company, advising them how to handle claims, collections, etc., you’ve increased the likelihood of them being deemed an agent of your organization, whereby you inherit liability in the event they encounter a breach. They’re still a business associate, but you’ve severed the arm’s length protection provided under the agency laws. Although this is an oversimplification of agency relationships, the point is to be aware of the distinction.
3. What do I do with my vendors that are not business associates, but still enter, or otherwise have access to our information or our facility? We call these gray area vendors, not quite business associates, but they may have incidental access to PHI in the course of providing services to you. Examples of gray area vendors include Internet service providers, phone system vendors, fax services, cleaning services, landlords, and many more. The good news is the HIPAA Privacy Rule makes an allowance for those vendors in section 45 CFR 164.502(a)(1)(iii), but that provides little protection to you in the event of a breach by a gray area vendor. Many of these vendors will not sign business associate agreements, and although the law does not require it, you should seek additional protection. We recommend our clients have their gray area vendors sign confidentiality agreements. Here’s a sample agreement that we use with our clients drafted by one of our attorney’s, Amy Fehn at HealthLawOffices.com. Taking the extra step to document the confidential nature of the information on your premises puts your gray area vendors on notice and also demonstrates your good faith efforts to achieve compliance.
While no agreement is bullet proof, part of what ONC auditors look for is evidence that you’ve taken reasonable measures to comply with the law. Properly identifying, documenting, and managing your vendors could avoid getting bit by the sharpened teeth of the HIPAA Omnibus Rule.
Jeff Mongelli is the CEO of Acentec, Inc., a nationwide provider of HIPAA compliance and medical IT management services.