Do Janitorial Services Require a Business Associate Agreement?

Image of hospital janitorial services
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

As a HIPAA-covered organization, you know you need business associate agreements (BAAs) for many of your vendors. But what about your janitor? Are janitorial services business associates (BAs)? Let’s see the definition of a BA and determine if janitors fall into this category.

The U.S. Department for Health and Human Services (HHS) defines a BA as:

“a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

Are Janitors Business Associates?

Most of the time, janitors are not BAs (as defined by the HIPAA Privacy Rule). They don’t perform any activities or services that use protected health information (PHI). In this case, you do not need a BAA, and you should restrict their access to the minimum necessary to perform their job. Restricting access also means limiting incidental disclosures to your janitor.

However, sometimes a janitorial service could act as a BA. For example, if they shred sensitive paper documents or perform filing services, then they are most likely a BA because their service to your organization involves access to PHI. Therefore, you would need a BAA.

Even though HIPAA doesn’t require a BAA for most janitorial services, you can’t permit all uses and disclosures of PHI. If you fail to supervise your cleaning crew and haven’t secured PHI in a reasonable manner, you’ve set the stage for a HIPAA violation. Without proper HIPAA security safeguards, you’d be liable if an unauthorized person accesses PHI and causes a breach. Therefore, you must put reasonable safeguards in place, such as locking cabinets, turning off computers, and securing paper PHI.

Vendor management doesn’t need to be a pain. In the HIPAAtrek platform, you can create, negotiate, and sign your BAAs, thus eliminating unnecessary back-and-forth with your vendors. Request a demo or contact us to learn more.

Read more: Top 3 Insider-Caused Data Breaches and How to Prevent Them

Request A HIPAAtrek Demo

Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Telehealth

Is the Telehealth you’ve adopted secure?

Many patients and providers who would not have normally considered telehealth as a regular way to access healthcare are now utilizing the services. Many patients are afraid to go the hospital or doctor office in fear of exposing themselves and loved ones to Covid-19. Luckily, doctors can still reach their patients and provide medical care online. After this pandemic is over, many suspect that telehealth will still be sticking around. Now may be a good time to consider how to make your telehealth services more secure.

Read More »
Double Extortion

Double Extortion-What it is and how you can prevent it

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »
Learn about Hipaa

Join the HIPAA Huddle

The HIPAA Huddle is a monthly meeting for compliance officers and others with HIPAA oversight responsibility to meet LIVE in a collaborative  environment to work through a single issue or discuss best practices.