Preparing Contractors for HIPAA Compliance

Employers are responsible for contractors and temporary employee’s compliance with HIPAA.

Here are two examples. You’re a small medical practice whose head nurse goes out on maternity leave and you hire your mother-in-law, an RN, as a temporary replacement until she comes back. You’re an insurance company who has hired a part-time agent to work one day a week from home.

Whatever the scenario, these full-time employees, contract employees or independent contractors these employers hire have access to client or patient Protected Health Information.

The question is, what procedures should you follow?

Employee Classification

Since 2013, the Common Agency Provision of HIPAA in the Omnibus ruling states that you are responsible for your employee’s compliance.

Is your employee a contractor working exclusively for your company, an individual with other clients, or someone hired through a business?

The HIPAA law does not require employers to train quasi-employees. However, companies are held responsible if one of these individuals breaches Protected Health Information.

Here is a recommendation:

If the employee is a contractor working exclusively for your company or a sole proprietor with other clients, you cannot expect the individual to generate Policies and Procedures for Privacy and Security as required of either a Business Associate or a Subcontractor BA. It is meaningless to ask them to sign a Business Associate Agreement or a Subcontractor Business Associate Agreement because they will not have the compliance infrastructure required by HIPAA.

Instead, ask them to sign a confidentiality agreement. We recommend including these essential items in your confidentiality agreement:

  • What information does the agreement cover
  • Employees cannot modify or copy company information
  • Information must be returned upon request by the employer
  • Disciplinary action for persons responsible for a breach of confidential information

Train your contractors on HIPAA law on updates to your Privacy and Security Policies and Procedures regularly. You should require them to follow your company’s Security Policies and Procedures for things like firewalls and virus protection.

Unfortunately, the employer is fully liable even if the independent contractor was malicious or criminal in creating the HIPAA breach. If the employee is provided through a company with infrastructure, that company will need to meet the compliance standards. Business Associates and Business Associate Subcontractors abide by the same rules and regulations.

Additionally, signing a BA Agreement of BAS Agreement with these companies is essential.

HIPAA Training for Contractors

Covered Entities, Business Associates, and Business Associate Subcontractors must train all employees, including temps and contractors. Also, subcontractors who hire employees have the same responsibility to train these people. The responsibility can extend down several layers.

It might be a pain, but before your contractor or temporary starts working, you must have either a signed Confidentiality Agreement, a BAA or a Subcontractor BAA in hand. This contractor must complete HIPAA training, too. Remember, if you don’t train all your workers, you open yourself up to potential breaches that can result in an HHS audit and potential fines.

Sharing is caring!