What Do Healthcare Third-Party Vendors Do?
Healthcare providers and dentists, referred to by the Department of Health and Human Services as Covered Entities (CEs), and their third-party vendors, referred to as Business Associates (BAs) are required to comply with the HIPAA Privacy, Security, and Breach Notification Rules.
Third-party vendors may be an individual or an organization, other than an employee of a provider, that performs certain functions on behalf of or provides certain services to, a CE that involves access to Protected Health Information (PHI). A third-party vendor could be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of the provider (45 CFR 160.103).
Some of the activities of healthcare third-party vendors may include:
- Managed Service Provider
- Management Administration
- Revenue Cycle Management (RCM)
- Billing, Coding, Transcription
- Marketing Companies
- Utilization Review
- Information technology contractors
- Data Analysis
- Data storage or document destruction companies
- Data transmission companies or vendors who routinely access PHI
- Third Party Administrators (TPA)
- Malpractice insurers
Note: A provider could be a third-party vendor of another provider.
Third-Party Vendor Decision Tree
Are still unsure whether you are a healthcare third-party vendor? If so, the good folks at Holland & Hart have put together the following handy Business Associate decision tree to help you determine if an entity is a third-party vendor (Business Associate) under HIPAA, as defined in 45 CFR § 160.103.
(Included screenshot of page 1 of 2: Business Associate Decision Tree, link provided above.
Why Does It Matter?
Providers, it is your responsibility to identify their third-party vendors and confirm there is a Business Associate Agreement (BAA) in place that holds them to the same standards of Privacy and Confidentiality as yourself. The BAA must be current and signed and limit the third-party vendor’s access to only allow access to PHI necessary to carry out its activities for the provider.
Healthcare organizations of all sizes and third-party vendors should understand patients are entrusting them with their most private and intimate details. They do expect it to remain secure!