Outsourcing PHI-related functions? What you need to know about HIPAA

Choosing to outsource various office activities that involve Protected Health Information (PHI) requires diligence to ensure compliance with federal HIPAA regulations. Many offices choose to outsource business activities such as billing, clinical record storage, or shredding. A covered entity, as defined by HIPAA, is responsible to ensure that the vendors handling patients’ PHI are HIPAA-compliant. This can be achieved through a Business Associate Agreement, often referred to as a “BAA”.

Once a BAA is in place with a vendor, HIPAA does not require the covered entity to monitor or oversee the privacy safeguards the vendor has in place. However, if the vendor violates HIPAA regulations and the terms of the BAA, the covered entity is required to take “reasonable steps” to cure the breach or end that violation and, if unsuccessful, must terminate the contract with that business associate (vendor). A great way to review a vendor’s compliance with HIPAA is to perform pre-contract due diligence. This might include asking key leadership about their HIPAA policies and procedures (which is required by HIPAA) or inquiring about any past HIPAA breaches. Ensuring that the BAA includes the right to audit the vendor for HIPAA compliance is another excellent strategy.

Need more information about HIPAA? The Centers for Medicare and Medicaid Services (CMS) has an abundance of information relating to HIPAA including a Business Associate Agreement Template that meets HIPAA requirements. Another great information source is healthit.gov which covers electronic health records, privacy, security including mobile device guidance, and offers a sample customizable Notice of Privacy Practices template.