• E-mail
• Print
• RSS

Evade vulnerability by managing vendor access to PHI

HIM Connection, September 22, 2004

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

Any time a vendor is on your premises, you put patients' protected health information (PHI) at risk. The responsibility of shielding that information from incidental viewing rests squarely on your shoulders.

The security language in the HIPAA privacy rule spells out several ways you need to address overall access to PHI for your work force. The rule does not specifically address vendor access, but it is considered your responsibility to limit vendor access to PHI.

Take security and privacy beyond your front door and look at vendors individually. From transcription companies to cleaning staff, medical suppliers to food providers, assess all contractors to determine the likelihood that they will encounter PHI. Then manage their access needs accordingly through a combination of a contractual agreement, physical and electronic security, and training.

Separate contractors into the following three categories, says Bill Roach Jr., MS, JD, partner at McDermott Will & Emery in Chicago:

1. Those with no access to PHI
2. Those with potential incidental access to PHI
3. Business associates that require access to PHI to perform their jobs

Once you group all vendors, review and update preexisting contracts to comply with the current HIPAA regulations. If you don't have an agreement with a vendor that falls into the second or third access category, enter into one immediately, Roach says.

However, creating a contract isn't sufficient. Roach advises that you have a contract administrator track those agreements to ensure that your facility regularly updates and renews all the regulatory provisions in the agreements.

This excerpt is adapted from Briefings on HIPAA.

HIM Connection In-Depth

Managing offshore vendor access to PHI is a challenge

Managing PHI once it is in the hands of an offshore subcontractor is a difficult challenge for facilities, says Roach.

The best safeguard against offshore contractors violating HIPAA rules is a carefully constructed and negotiated contract with the vendor that includes sanctions for violations. However, should an offshore vendor decide to release information, you would be held liable for the violation, your only course of action a breach of contract suit.

"It's a nightmare and really the only effective sanction you have is that the vendor wants your business and it wants other business from the industry. A hostile, uncontrollable act would destroy the offshore vendor's hopes of business forever," Roach says. "We generally recommend that a company think very carefully about using a company outside the U.S. jurisdiction."

If you do use offshore vendors, work with and track all these vendors carefully.

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive