everythingpossible - Fotolia
My company is an IT services firm that specifies, installs and maintains computer networks for small to medium-sized businesses. There are opportunities in the healthcare market for such installations and maintenance at doctors' offices. If my company were to service such accounts the technicians could come into contact with PHI in the course of server maintenance or performing data backups and data checks. But at no time would any tech be allowed to leave a client's premises with PHI in any form. Would we be considered a HIPAA business associate and therefore need to be HIPAA compliant?
This is a tricky question and the final answer is going to be highly dependent upon the specific circumstances of the covered entity's business and the services your company provides. Before I give you a few informative examples, remember that this is not legal advice and you should run your specific situation by a qualified HIPAA attorney before deciding whether your company must have a HIPAA business associate arrangement.
The Department of Health and Human Services (HHS) is responsible for implementing HIPAA and provides detailed guidance and examples to help covered entities determine when a business associate relationship is necessary. Unfortunately, none of the examples it provides apply directly to this particular situation.
Let's start with the HHS definition of a HIPAA business associate, which is "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." The HHS goes on to provide examples of those "certain functions or activities," and list "data analysis, processing or administration" as one of those activities. That's a fairly vague description, but an argument could be made that your organization performing backups and "data checks" falls under the umbrella of data administration.
Elsewhere on its site, the HHS does address whether a software vendor is a business associate of a covered entity". The conclusion it reaches states, in part that "If the vendor does need access to the protected health information of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity."
My instinct says that your situation would fall under this same reasoning. If your company is performing backups and other tasks that gives it access to protected health information, you would fall under the definition of a HIPAA business associate.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn more about how to know if your organization is a HIPAA business associate
Find out what happens if an organization ignores compliance regulations
Learn who should perform HIPAA and HITECH compliance assessments
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading