Managing Vendors With Access to PHI

private health information

Q: What do I need to do to manage Vendors who have access to our PHI?

A: In 2017, a $31,000 settlement was paid by a covered entity due to a vendor, a record storage company, when OCR discovered that the parties did not have a Business Associate Agreement in place. OCR determined that the covered entity transferred the PHI of at least 10,000 patients to its vendor prior to executing a BAA. Some lessons learned are:

  1. to make sure you have a template BAA for the covered entity,
  2. figure out who your BAA is, and
  3. designate an individual to make sure they are executed.

Often documents are sent but no one follows up to make sure they get signed. Make sure they are signed BEFORE transferring PHI. Review with your staff what needs to be sent and what should not be transferred. Make sure you comply with the HIPAA record retention requirements by keeping agreements for at least 6 years following termination.

Revolution Law Group is located in Greensboro, NC, and serves individuals and small businesses throughout the Triad and surrounding areas. To contact us please visit or call 336-333-7907.

The information included here is for informational purposes only, is not exhaustive of all considerations when creating documents, is not intended to be legal advice, and should not be relied upon for that purpose. We strongly recommend you consult with an attorney and do not attempt to create your own documents.