What Do Healthcare Third-Party Vendors Do

HIPAA Security / By
Healthcare Third-Party Vendor

What Do Healthcare Third-Party Vendors Do?

Healthcare providers and dentists, referred to by the Department of Health and Human Services as Covered Entities (CEs), and their third-party vendors, referred to as Business Associates (BAs) are required to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

Third-party vendors may be an individual or an organization, other than an employee of a provider, that performs certain functions on behalf of or provides certain services to, a CE that involves access to Protected Health Information (PHI). A third-party vendor could be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of the provider (45 CFR 160.103).

Some of the activities of healthcare third-party vendors may include:

  • Consultants
  • Managed Service Provider
  • Management Administration
  • Revenue Cycle Management (RCM)
  • Billing, Coding, Transcription
  • Marketing Companies
  • Accreditation
  • Utilization Review
  • Information technology contractors
  • Data Analysis
  • Data storage or document destruction companies
  • Data transmission companies or vendors who routinely access PHI
  • Third Party Administrators (TPA)
  • Lawyers
  • Accountants
  • Malpractice insurers

Note: A provider could be a third-party vendor of another provider.

Third-Party Vendor Decision Tree

Are still unsure whether you are a healthcare third-party vendor? If so, the good folks at Holland & Hart have put together the following handy Business Associate decision tree to help you determine if an entity is a third-party vendor (Business Associate) under HIPAA, as defined in 45 CFR § 160.103. 

(Included screenshot of page 1 of 2: Business Associate Decision Tree, link provided above.

Business Associate Decision Tree

Why Does It Matter?

Providers, it is your responsibility to identify their third-party vendors and confirm there is a Business Associate Agreement (BAA) in place that holds them to the same standards of Privacy and Confidentiality as yourself. The BAA must be current and signed and limit the third-party vendor’s access to only allow access to PHI necessary to carry out its activities for the provider.

Healthcare organizations of all sizes and third-party vendors should understand patients are entrusting them with their most private and intimate details. They do expect it to remain secure!