everythingpossible - Fotolia
My company is an IT services firm that specifies, installs and maintains computer networks for small to medium-sized businesses. There are opportunities in the healthcare market for such installations and maintenance at doctors' offices. If my company were to service such accounts the technicians could come into contact with PHI in the course of server maintenance or performing data backups and data checks. But at no time would any tech be allowed to leave a client's premises with PHI in any form. Would we be considered a HIPAA business associate and therefore need to be HIPAA compliant?
This is a tricky question and the final answer is going to be highly dependent upon the specific circumstances of the covered entity's business and the services your company provides. Before I give you a few informative examples, remember that this is not legal advice and you should run your specific situation by a qualified HIPAA attorney before deciding whether your company must have a HIPAA business associate arrangement.
The Department of Health and Human Services (HHS) is responsible for implementing HIPAA and provides detailed guidance and examples to help covered entities determine when a business associate relationship is necessary. Unfortunately, none of the examples it provides apply directly to this particular situation.
Let's start with the HHS definition of a HIPAA business associate, which is "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." The HHS goes on to provide examples of those "certain functions or activities," and list "data analysis, processing or administration" as one of those activities. That's a fairly vague description, but an argument could be made that your organization performing backups and "data checks" falls under the umbrella of data administration.
Elsewhere on its site, the HHS does address whether a software vendor is a business associate of a covered entity". The conclusion it reaches states, in part that "If the vendor does need access to the protected health information of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity."
My instinct says that your situation would fall under this same reasoning. If your company is performing backups and other tasks that gives it access to protected health information, you would fall under the definition of a HIPAA business associate.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn more about how to know if your organization is a HIPAA business associate
Find out what happens if an organization ignores compliance regulations
Learn who should perform HIPAA and HITECH compliance assessments
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.