Healthcare providers have many legitimate business reasons for transferring confidential patient information to their vendors. Patient records are shared with a variety of vendors, such as transcription, laboratory, billing, information technology, and other service providers. As a result, questions arise as to who owns and controls patient information and who is responsible for protecting it. Federal and state laws address some of these issues, but a great deal of ambiguity still exists.
In a relationship between a provider and a vendor, the provider typically is the owner of the patient information and is required to protect it. Nevertheless, when information is housed with a vendor and becomes part of the vendor's information system, some liability must be placed upon the vendor to protect the information and return it in a usable form once the relationship between the provider and the vendor is terminated. This issue becomes complicated when vendors, which are not necessarily governed by the same laws as providers, do not have the same motivation or infrastructure to protect or retrieve patient information.
For providers to protect their ownership rights as well as the confidentiality of their patient information, they need to perform due diligence regarding the vendors they intend to use, as well as enter into agreements that address the unique concerns of patient information and the purpose for which such information will be used. Below we describe some of the more significant issues that providers should consider when allowing vendors to access patient information.
Before entering into an agreement with a vendor involving the disclosure of patient information, a provider should perform due diligence in regard to the vendor. In addition to researching whether the vendor has ever had any privacy or security breaches, a provider should consider issues such as where and how the vendor will store the information, how the vendor destroys documents and electronic files with patient information, and whether the vendor has established a security program that complies with HIPAA requirements. For example, a provider should be aware of whether the vendor will be remotely accessing the provider's information and, if so, what features will be in place to ensure that unauthorized users will not be able to access the information.
Another consideration is whether the vendor performs criminal background checks on its employees, requires them to enter into confidentiality agreements, has confidentiality policies, or provides staff training on confidentiality.
The extent of a provider's due diligence depends upon the amount and sensitivity of the patient information that will be given to the vendor. Providers can obtain background information on vendors in a variety of ways: asking directly, contacting other clients, reviewing written procedures, or performing site visits.
Services and Business Agreements
Once a vendor has been selected, a written services agreement should be prepared, which addresses the use, disclosure, ownership, and confidentiality of patient information. In addition to describing the type of information that may be exchanged by the parties and the purposes for which such information can be used, the services agreement should clearly state that the provider owns, and will continue to own, the patient information.
In most cases in which a provider is providing patient information to a vendor or allowing a vendor to collect patient information on the provider's behalf, the vendor is a business associate of the provider. Therefore, a business associate (BA) agreement is required. The BA agreement is particularly beneficial to a provider because HIPAA mandates that certain provisions be included, and many of these protect the provider's patient information.
A provider should ensure that the BA agreement complements, and works in conjunction with, the vendor services agreement. For example, HIPAA explicitly states that the BA agreement must prohibit the vendor from using or disclosing patient information other than as authorized in the services agreement or as required by applicable law. For the provider to take advantage of this legal mandate, the provider should ensure that the services agreement clearly describes the purposes for which the vendor can use the patient information.
HIPAA requires that if a provider learns that a vendor has violated its obligations under the BA agreement, the provider must: (1) require the vendor to cure the breach and end the violation; or (2) if the vendor does not cure the violation, terminate the agreement, if feasible; or (3) if termination is not feasible, report the problem to the Department of Health and Human Services. A provider should ensure that the BA agreement includes each of these options. In addition, although not required by HIPAA, a provider should ensure that there is a reasonable time frame in which the vendor is required to cure any breaches.
Patient information may become vulnerable when a vendor agreement terminates. A vendor may seek to inappropriately retain, disclose, or use patient information in the vendor's control. To minimize such vulnerability, the provider and vendor should agree at the outset how patient information will be returned upon termination.