Skip to main content

HIPAA requirements extend to outsourced work

December 11, 2017

Outsourcing is a great way to shift workloads, but executives need to be careful when partnering with vendors to ensure they are complying with HIPAA rules. A slip up by a business associate could cost treatment centers time and money when liability comes into play.

Providers need to be vigilant about partnerships with call centers designed to capture potential patients. Although people calling into the center are not patients yet, they are providing information that might be protected under HIPAA.

Nicole DiMaria, member of Chiesa, Shahinian, & Giantomasi PC’s Health Care and Hospital, Corporate and Securities and Privacy & Data Security groups, says the legality of HIPAA compliance at these call centers can depend on the situation.

“You need to ask about the who, what, when, where and why,” she says. “You have to look at what the call center does and its activities. Is it only for healthcare providers, or does it collect information on its own behalf that they would sell to others?”

If the call center is collecting identifiable and individual health information, which can be broadly defined, it’s difficult to get away from the conclusion that the information should be protected under HIPAA rules, DiMaria says.

“It’s better to be on the conservative side. On a general basis, assume the information is protected even if [callers] are not actual patients yet,” she says.

Look to the contract

If a covered entity, such as a healthcare provider, works with a business associate, such as a call center, a written contract or other arrangement is needed to establish specifically what the business associate has been hired to do, according to the U.S. Department of Health & Human Services. The contract also needs to require the business associate to comply with requirements to protect the privacy and security of protected health information.

A healthcare provider’s contract with its business associate must contain the following elements, according to HHS:

  • explain the permitted and required uses of protected health information by the business associate;
  • ensure the business associate won’t use or further disclose protected health information other than as permitted or required by the contract or by law; and
  • require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information.

When working with business associates, DiMaria says to look to the contract for reassurance. “See if they have done the risk assessment required under HIPAA. Have they done those basic activities that constitute HIPAA compliance? The contract can say a lot about what the business associate has in place.”

However, she says it’s always better to dive deeper when examining the business associate’s practices.

“Get written procedures and policies upfront because those are the first evidence of compliance,” she says.

What if there’s a breach?

Treatment centers that use outsourced vendors need to be careful because they could be held responsible under HIPAA if there were to be a breach.

“When storing the health information on their systems, if [call center companies] don’t have secure systems they can face fines and penalties,” DiMaria says. “If there’s a breach it will fall to the covered entity, which will have to handle all the expense with the breach—but again you have contractual obligations to determine who’s going to pay for it.”

For example, if a call center employee’s laptop with protected health information is stolen, the business associate is required to report that breach to the covered entity, the contracting healthcare provider, DiMaria says.

If the healthcare provider knows a material breach or HIPAA violation has taken place by the business associate, the provider is required to take reasonable steps to fix the breach or end the violation, according to HHS. If those steps are unsuccessful, the provider must terminate the contract or arrangement with the business associate. If termination is not possible, then the provider is obligated to report the issue to the Department of Health and Human Services Office for Civil Rights.

DiMaria says the government also will conduct random audits to ensure business associates are in compliance with HIPAA rules.

“Some have been fined,” she says, adding that covered entities, too, should conduct audits on these business associates to ensure compliance.

Alicia Hoisington is a freelance writer based in Ohio.

Back to Top