What do I need to do to manage Vendors who have access to our PHI?
In 2017 a $31,000 settlement was paid by a covered entity due to a vendor, a record storage company, when OCR discovered that the parties did not have a Business Associate Agreement in place. OCR determined that the covered entity transferred the PHI of at least 10,000 patients to its vendor prior to executing a BAA. Some lessons learned are to make sure you have a template BAA for the covered entity, figure out who your BAA are and designate an individual to make sure they are executed. Often documents are sent but no one follows up to make sure they get signed. Make sure they are signed BEFORE transferring PHI. Review with staff what needs to be sent and what should not be transferred. Make sure you comply with the HIPAA record retention requirements by keeping agreements for at least 6 years following termination.
