Question: We want to house our paper records with an offsite storage vendor. We would submit the records in batches, but want to use a numbering system rather than PHI - like patients' names or dates of service - to access the batches in the future. Do we need to ask the storage vendor to sign a business associate
agreement (BAA)?
Connecticut subscriber
Answer: "Yes, there is a strong possibility that the vendor could view PHI in the performance of their duties," says Rick Ensenbach, senior security expert for Shavlik Technologies in Roseville, MN.
Example: A damaged box could reveal information inadvertently to your storage vendor. Or what seems harmless - an inventory of the contents of the boxes or containers - could become PHI when linked with other information the vendor has on hand - such as the boxes coming from a known HIV clinic.
The Bottom Line: The vendor is handling PHI and must ensure that it remains private, Ensenbach states. A BAA will ensure that the vendor takes every precaution to ensure the information it is storing is secure.
Editor's note: Send your privacy and security rule questions to us and we'll both track down your answers and publish them in an upcoming issue.