We are all familiar with Business Associate Agreements and the importance of having this contract in place, explaining exactly what your Business Associate can and cannot do with the organization’s patient data.
A Business Associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of Protected Health Information (PHI), and where any access to PHI by such persons would be incidental, if at all. Generally, janitorial services that clean offices of Covered Entities are not Business Associates as the work they perform does not involve the use or disclosure of PHI.
Here is where it gets tricky. Most Covered Entities have patient data in paper form as well as electronic data. You are required to ensure the Confidentiality, Integrity and Availability of all PHI, in any form. Do papers containing PHI stay on desks after hours? Are fax and copy machines checked at the end of the day to ensure PHI is not sitting out? Are medical records rooms, or any offices containing PHI, locked at the end of the business day? Are staff expected to log out of all operating systems and applications containing ePHI when the work day is done? Do computers have an auto-lock policy?
A Clean Desk Policy specifies how employees need to leave their work space/desk when they step away from their workstations, and at the end of the business day.
A Clean Desk Policy helps limit the exposure of sensitive data, especially PHI, to unauthorized individuals, such as cleaning staff or vendors, to avoid a security incident or worse, a breach. All workforce members should sign a Clean Desk Policy explaining clearly what is expected, and to enforce the importance of securing patient data.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.