HIPAA Business Associate Qualifying Questions

Do You Believe the Vendor Is a Business Associate?

The vendor:

  1. Provides a service that requires them to view patient information. 
  2. Provides a service that requires them to store patient information. It does not matter if:
    1. they look at the information
    2. they never look at the information
    3. the information is in sealed packaging
    4. the information is encrypted
    5. the information is in locked cabinets or cages
    6. the information is protected by logins and passwords.
  3. Provides a product or service that may allow the installers or support technicians to access patient information (even data files, not just the individual records) or can view your screen remotely.

For example:

  1. Electronic Health Records
    (EHR) program vendors
  2. PACS imaging program vendors
  3. Drug dispensing cart vendors
  4. Diagnostic device vendors
  5. IT companies
  6. Online backup providers
  7. Cloud services
  8. Copier technicians (if your copiers have internal hard disk drives,) 
  9. Staffing companies
  10. Lawyers that represent you in malpractice cases or collections
  11. Accountants that audit your books
  12. Shredding Companies
  13. Revenue Cycle Management consultants
  14. Outsourced Transcriptionists
  15. Outsourced Coders
  16. Outsourced therapists, consultants, etc. that may access your data
  17. Medical schools and nursing schools that require your patient information to evaluate their students
  18. Medical Records storage companies
  19. Utilization Reviewers 
  20. Insurance
  21. Agents that sell health plans


Will They Sign a Business Associate Agreement?

Many companies that provide services that qualify them as Business Associates are not aware or deny they are Business Associates, and will not sign Business Associate Agreements. If a company meets the criteria listed above and will not sign a Business Associate Agreement, you cannot work with them, or anything they see will be a data breach.


Semel Consulting works with Covered Entities, Business Associates, and Subcontractors to properly manage HIPAA compliance.


MIKE SEMEL  |  www.SemelConsulting.com