We do not believe that a HIPAA covered entity or upstream business associate should enter into a business associate agreement (“BAA”) with a custodial service unless the custodial service is actually doing something for the covered entity that involves protected health information (“PHI”), such as shredding it. If the duties of the custodial service do not require access to or use of PHI and if the exposure to the PHI is merely accidental or incidental, such as finding a lab report that had fallen under a desk, the custodial service would not be a business associate. And with the increased liability of covered entities and upstream business associates under the Omnibus Rule, under which a covered entity or upstream business associate can be liable for the breach of the business associate under the federal common law of agency, we do not think that you want to add entities as business associates unless you have to.
That theory does not mean, however, that your contract with your custodial service shouldn’t have some language to protect your PHI. Thus, we have developed and updated such contract language in a confidentiality agreement, and it is now available on the Premium Member section of our Veterans Press website. We will also be adding the confidentiality agreement to the 6th edition of our HIPAA Documents Resource Center CD, which will be forthcoming shortly.
Again, as a reminder, if you bought the HIPAA Compliance Library that includes my 5th edition of the Compliance Guide to HIPAA and the DHHS Regulations, you received with it a one-year free subscription to the Premium Member section. If you need help setting up your account to access the Premium Member section, please call our marketing director, Patrick R. Head II, toll-free at 855-341-8783 or email him at patrick@veteranspress.com.