Employers are responsible for contractors and temporary employee’s compliance with HIPAA.
Here are two examples. You’re a small medical practice whose head nurse goes out on maternity leave and you hire your mother-in-law, an RN, as a temporary replacement until she comes back. You’re an insurance company who has hired a part-time agent to work one day a week from home.
Whatever the scenario, these full-time employees, contract employees or independent contractors these employers hire have access to client or patient Protected Health Information.
The question is, what procedures should you follow?
Employee Classification
Since 2013, the Common Agency Provision of HIPAA in the Omnibus ruling states that you are responsible for your employee’s compliance.
Is your employee a contractor working exclusively for your company, an individual with other clients, or someone hired through a business?
The HIPAA law does not require e
Here is a recommendation:
If the employee is a contractor working exclusively for your company or a sole proprietor with other clients, you cannot expect the individual to generate Policies and Procedures for Privacy and Security as required of either a Business Associate or a Subcontractor BA. It is meaningless to ask them to sign a Business Associate Agreement or a Subcontractor Business Associate Agreement because they will not have the compliance infrastructure required by HIPAA.
Instead, ask them to sign a confidentiality agreement. We recommend including these essential items in your confidentiality agreement:
- What information does the agreement cover
- Employees cannot modify or copy company information
- Information must be returned upon request by the employer
- Disciplinary action for persons responsible for a breach of confidential information
Train your contractors on HIPAA law on updates to your Privacy and Security Policies and Procedures regularly. You should require them to follow your company’s Security Policies and Procedures for things like firewalls and virus protection.
Unfortunately, the employer is fully liable even if the independent contractor was malicious or criminal in creating the HIPAA breach. If the employee is provided through a company with infrastructure, that company will need to meet the compliance standards. Business Associates and Business Associate Subcontractors abide by the same rules and regulations.
Additionally, signing a BA Agreement of BAS Agreement with these companies is essential.
HIPAA Training for Contractors
Covered Entities, Business Associates, and Business Associate Subcontractors must train all employees, including temps and contractors. Also, subcontractors who hire employees have the same responsibility to train these people. The responsibility can extend down several layers.
It might be a pain, but before your contractor or temporary starts working, you must have either a signed Confidentiality Agreement, a BAA or a Subcontractor BAA in hand. This contractor must complete HIPAA training, too. Remember, if you don’t train all your workers, you open yourself up to potential breaches that can result in an HHS audit and potential fines.
Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.