Q: How can I make sure my contractors are HIPAA compliant?
As part of their HIPAA requirements 
, healthcare professionals need to make sure that contractors they hire are prepared to follow HIPAA and HITECH privacy rules. How do you enforce HIPAA requirements among third parties and business associates? The answer: use contracts.
The Department of Health and Human Services recommends that you use a business associates agreement that outlines HIPAA requirements. The HHS has posted sample HIPAA provisions for business associate agreements. Put these provisions in your contractor agreements (or use HHS templates) to have a HIPAA compliant contract.
Which contractors need to sign a business associate agreement? You'll need BAAs for any contractor who could have access to your data or physical custody of patient files. This includes:
- IT contractors.
- Paper shredding companies.
- Medical billing companies.
- CPAs.
- Medical transcriptionists.
- Couriers and deliverymen that transport medical files.
- Consultants.
It's not always obvious which contractors need to sign a BAA. For instance, HVAC service companies sometimes need network access to control the temperature of office buildings. Because they access your network, you might be required to have them sign a BA agreement with HIPAA or HITECH language.
When in doubt, use a HIPAA contract and keep a copy of the agreement in your files. If you ever undergo a HIPAA audit, you'll be required to show documentation of all business associate agreements.
To learn more about reducing your contractor liability, check out our article "Making Sure Your Contractors Meet HIPAA and HITECH Security Requirements."