Many physician offices are struggling to determine which of their vendors are business associates and which are not. It can be a daunting task. One of the most frequently asked questions we receive is whether or not janitorial or cleaning services are business associates or not. Like all things regulatory – it depends. I know everyone hates hearing this answer, so allow me to elaborate to help you determine if your cleaning crew is a business associate or not.
Cleaning and janitorial services in general are not business associates as defined by the privacy rule, and therefore, a business associate agreement (BAA) is not required, most of the time. There are examples of times that a janitorial service could act as a business associate. For example if your cleaning service also disposes of paper protected health information (PHI) – ie shredding services – or if they perform after hours filing services for you, it is likely they are business associates and would require a BAA.
If your janitorial service is not a business associate, this does not mean that you do not have to limit the amount of incidental disclosures, or access, they have to your patients’ PHI. You need to restrict access to PHI to the minimum necessary to perform a job function. A janitorial crew has no need to access PHI to perform his/her duties. The limited access obtained by a janitor would likely be incidental and not subject to privacy violations. However, if the janitor is unsupervised, and you have not secured PHI in a reasonable fashion, then a violation of the rule could occur as a result of lack of security safeguards rather than a BAA violation.
Just because the privacy rule does not require BAAs for janitorial services (and therefore entities really should not enter into them), covered entities should not assume that the HIPAA privacy rule will permit all incidental uses and disclosures of PHI, especially when those disclosures are caused by lack of HIPAA security compliance. It is feasible that a breach could still occur that you would be liable for if you have not taken reasonable safeguards to prevent unauthorized viewing: locking cabinets, turning off computers, putting away all paper PHI, ect… In the end, it is up to you to protect its PHI. You must create and implement healthy safeguards to ensure PHI is being protected in all forms. (And as a shameless plug, HIPAAtrek has software that can help you create and implement safeguards to help with your compliance efforts!)