Magazine article Behavioral Healthcare Executive

Protecting Ownership of Patient Information

Magazine article Behavioral Healthcare Executive

Protecting Ownership of Patient Information

Article excerpt

Healthcare providers have many legitimate business reasons for transferring confidential patient information to their vendors. Patient records are shared with a variety of vendors, such as transcription, laboratory, billing, information technology, and other service providers. As a result, questions arise as to who owns and controls patient information and who is responsible for protecting it. Federal and state laws address some of these issues, but a great deal of ambiguity still exists.

In a relationship between a provider and a vendor, the provider typically is the owner of the patient information and is required to protect it. Nevertheless, when information is housed with a vendor and becomes part of the vendor's information system, some liability must be placed upon the vendor to protect the information and return it in a usable form once the relationship between the provider and the vendor is terminated. This issue becomes complicated when vendors, which are not necessarily governed by the same laws as providers, do not have the same motivation or infrastructure to protect or retrieve patient information.

For providers to protect their ownership rights as well as the confidentiality of their patient information, they need to perform due diligence regarding the vendors they intend to use, as well as enter into agreements that address the unique concerns of patient information and the purpose for which such information will be used. Below we describe some of the more significant issues that providers should consider when allowing vendors to access patient information.

Due Diligence

Before entering into an agreement with a vendor involving the disclosure of patient information, a provider should perform due diligence in regard to the vendor. In addition to researching whether the vendor has ever had any privacy or security breaches, a provider should consider issues such as where and how the vendor will store the information, how the vendor destroys documents and electronic files with patient information, and whether the vendor has established a security program that complies with HIPAA requirements. For example, a provider should be aware of whether the vendor will be remotely accessing the providers information and, if so, what features will be in place to ensure that unauthorized users will not be able to access the information.

Another consideration is whether the vendor performs criminal background checks on its employees, requires them to enter into confidentiality agreements, has confidentiality policies, or provides staff training on confidentiality.

The extent of a providers due diligence depends upon the amount and sensitivity of the patient information that will be given to the vendor. Providers can obtain background information on vendors in a variety of ways: asking directly, contacting other clients, reviewing written procedures, or performing site visits.

Services and Business Agreements

Once a vendor has been selected, a written services agreement should be prepared, which addresses the use, disclosure, ownership, and confidentiality of patient information. In addition to describing the type of information that may be exchanged by the parties and the purposes for which such information can be used, the services agreement should clearly state that the provider owns, and will continue to own, the patient information.

In most cases in which a provider is providing patient information to a vendor or allowing a vendor to collect patient information on the provider's behalf, the vendor is a business associate of the provider. Therefore, a business associate (BA) agreement is required. The BA agreement is particularly beneficial to a provider because HIPAA mandates that certain provisions be included, and many of these protect the provider's patient information.

A provider should ensure that the BA agreement complements, and works in conjunction with, the vendor services agreement. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.