As a HIPAA-covered organization, you know you need business associate agreements (BAAs) for many of your vendors. But what about your janitor? Are janitorial services business associates (BAs)? Let’s see the definition of a BA and determine if janitors fall into this category.
The U.S. Department for Health and Human Services (HHS) defines a BA as:
“a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
Are Janitors Business Associates?
Most of the time, janitors are not BAs (as defined by the HIPAA Privacy Rule). They don’t perform any activities or services that use protected health information (PHI). In this case, you do not need a BAA, and you should restrict their access to the minimum necessary to perform their job. Restricting access also means limiting incidental disclosures to your janitor.
However, sometimes a janitorial service could act as a BA. For example, if they shred sensitive paper documents or perform filing services, then they are most likely a BA because their service to your organization involves access to PHI. Therefore, you would need a BAA.
Even though HIPAA doesn’t require a BAA for most janitorial services, you can’t permit all uses and disclosures of PHI. If you fail to supervise your cleaning crew and haven’t secured PHI in a reasonable manner, you’ve set the stage for a HIPAA violation. Without proper HIPAA security safeguards, you’d be liable if an unauthorized person accesses PHI and causes a breach. Therefore, you must put reasonable safeguards in place, such as locking cabinets, turning off computers, and securing paper PHI.
Vendor management doesn’t need to be a pain. In the HIPAAtrek platform, you can create, negotiate, and sign your BAAs, thus eliminating unnecessary back-and-forth with your vendors. Request a demo or contact us to learn more.