Physician Practice

Q&A: Protecting privacy when drug reps are visiting

Physician Practice Insider, September 8, 2015

Q: When a drug representative enters a facility, he or she can easily be exposed to protected health information (PHI). Would that fall under healthcare operations, or is the covered entity expected to get a business associate agreement (BAA) for every drug company rep that comes through the door? Also, what is the difference between a drug rep and a medical device rep? Is the device rep providing healthcare while the drug rep is simply selling a product?

A:
The drug rep should not have access to any patient information. He or she may overhear information about patients, but this is considered incidental disclosure. Care should be taken to limit such disclosure, such as meeting with the drug rep in a private office, rather than in a busy clinic. Your organization does not need to have a BAA with drug representatives.

A medical device representative may have more involvement in a specific case, such as discussing a patient to determine the most appropriate implant.

Your organization should have a BAA with the medical device company, since it may have access to PHI to provide a service on your behalf. You may ask individual representatives to sign a confidentiality agreement, but this is not required.

This question was answered by Mary D. Brandt, MBA, RHIA, CHE, CHPS, a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. This question originally appeared in the September issue of Briefings on HIPAA.

Most Popular