What Do Healthcare Third-Party Vendors Do
What Do Healthcare Third-Party Vendors Do? Healthcare providers and dentists, referred to by the Department of Health and Human Services as Covered Entities (CEs), and their third-party vendors, referred to as Business Associates (BAs) are required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. Third-party vendors may be an individual or an organization, other than an employee of a provider, that performs certain functions on behalf of or provides certain services to, a CE that involves access to Protected Health Information (PHI). A third-party vendor could be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of the provider (45 CFR 160.103). Some of the activities of healthcare third-party vendors may include: Consultants Managed Service Provider Management Administration Revenue Cycle Management (RCM) Billing, Coding, Transcription Marketing Companies Accreditation Utilization Review Information technology contractors Data Analysis Data storage or document destruction companies Data transmission companies or vendors who routinely access PHI Third Party Administrators (TPA) Lawyers Accountants Malpractice insurers Note: A provider could be a third-party vendor of another provider. Third-Party Vendor Decision Tree Are still unsure whether you are a healthcare third-party vendor? If so, the good folks at Holland & Hart have put together the following handy Business Associate decision tree to help you determine if an entity is a third-party vendor (Business Associate) under HIPAA, as defined in 45 CFR § 160.103. (Included screenshot of page 1 of 2: Business Associate Decision Tree, link provided above. Why Does It Matter? Providers, it is your responsibility to identify their third-party vendors and confirm there is a Business Associate Agreement (BAA) in place that holds them to the same standards of Privacy and Confidentiality as yourself. The BAA must be current and signed and limit the third-party vendor’s access to only allow access to PHI necessary to carry out its activities for the provider. Healthcare organizations of all sizes and third-party vendors should understand patients are entrusting them with their most private and intimate details. They do expect it to remain secure!