Health Information Compliance Alert

READER QUESTIONS:

TURN YOUR STORAGE VENDORS INTO BUSINESS ASSOCIATES

Question: We want to house our paper records with an offsite storage vendor. We would submit the records in batches, but want to use a numbering system rather than PHI - like patients' names or dates of service - to access the batches in the future. Do we need to ask the storage vendor to sign a business associate
agreement (BAA)?


Connecticut subscriber


Answer: "Yes, there is a strong possibility that the vendor could view PHI in the performance of their duties," says Rick Ensenbach, senior security expert for Shavlik Technologies in Roseville, MN.

Example: A damaged box could reveal information inadvertently to your storage vendor. Or what seems harmless - an inventory of the contents of the boxes or containers - could become PHI when linked with other information the vendor has on hand - such as the boxes coming from a known HIV clinic.

The Bottom Line: The vendor is handling PHI and must ensure that it remains private, Ensenbach states. A BAA will ensure that the vendor takes every precaution to ensure the information it is storing is secure.

Editor's note: Send your privacy and security rule questions to us and we'll both track down your answers and publish them in an upcoming issue.

Other Articles in this issue of

Health Information Compliance Alert

View All