Question
Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:
"Our office has been using the vendors tool in Bite-Size HIPAA® to help us manage our required Business Associate Agreements with our various dental partners. We noticed there is not a category for equipment and supply couriers. We have our UPS and FedEx deliveries brought in through our practice’s back door and into our supply room. We do this to try to keep our deliveries 'behind the scenes' of our patient experience. However, this has me concerned about the information the delivery people might hear or see during the process. Shouldn’t we be requiring our delivery companies to sign BAAs? How do we get UPS to sign our BAA?"
Thank you for your question and for using Bite-Size HIPAA® to help manage your practice’s compliance! You are certainly not the first office to be concerned about this but good luck getting UPS or FedEx to sign anything. Let’s see what the HIPAA law has to say about potential PHI disclosures to delivery personnel.
Is It PHI?
Our first step is always to ask if the information we are concerned about is actually protected health information. Remember, PHI includes any data about a healthcare treatment or payment that could be linked to a particular person. The simple fact that an individual is a patient of your practice is protected health information. So just a name, being associated with the practice needs to be kept private and confidential. Here, there are two types of disclosures we need to think about. First, the delivery personnel may be transmitting patient data for the practice. They might have insurance information, lab results, or other information about your patients and this information is clearly PHI. Second, delivery personnel could certainly see individually identifiable health information as they walk through your office. This information would also be PHI.
Three Exceptions
Next, let's see if HIPAA allows the disclosure. Remember, our basic rule is that you cannot disclose PHI without patient authorization, unless there is a specific permitted disclosure rule that applies(treatment, billing, healthcare operations). In this case, there are disclosure rules that apply. First, the law allows disclosures for treatment and billing, so any mail containing PHI that the delivery personnel are carrying will likely fall under those exceptions. Second, the law allows disclosures that are incidental to another permitted use or disclosure. This is in section 164.502(a)(1)(iii). An incidental disclosure is a secondary disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a result of some other permitted disclosure. What this means is that if you are using PHI for a permitted purpose, such as treatment or billing, and you are using reasonable safeguards to protect such PHI, but during this permitted use there happens to be a limited disclosure to somebody else, then that disclosure is okay. So, if you are using reasonable safeguards to protect PHI in your office, but a delivery person still manages to see a patient name as they walk through the office, that is an incidental disclosure and is permitted under HIPAA.
The HIPAA Law
Our next question is whether we need to have a Business Associate Agreement or BAA in place. A BAA is a required contract between a provider and any organization that HIPAA defines as a Business Associate. The definition of Business Associate is found in Section 160.103. The definition is quite complex, but basically, it includes any person or entity that performs certain functions or activities, on behalf of the provider, that involve the routine use or disclosure of protected health information. If you look simply at the language of the law it sounds like delivery personnel would qualify because they are performing an action, delivery, on behalf of the provider and it contains PHI. But thankfully, there are two reasons that delivery personnel do not fall under this definition.
First, while delivery personnel are transmitting PHI on behalf of the practice when delivering mail, HHS considers them “conduits” of the information, and has ruled that conduits are not Business Associates. The conduit exception is intended to exclude only those entities providing simple courier services, such as the Postal Service, UPS, or FedEx, and their electronic equivalents, such as internet service providers (ISPs) providing data only transmission services. A conduit transports information, but does not access it other than as necessary to perform the transportation service. If a company stores the information or processes it in any way, then it is not a conduit and would be a Business Associate. An email provider stores information, they are a BA. The Internet Service Provider does not, so they are considered a conduit.
Second, HHS has provided guidance on its website that says a Business Associate contract is not required with organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. So, since any PHI that a delivery person may see while walking through your office would be incidental to their services, this disclosure does not make them a Business Associate.
Summary
To summarize - delivery personnel are not Business Associates under HIPAA because they are merely a conduit of information as their services do not require the use or disclosure of PHI and any access to PHI they do have is incidental.
Have a HIPAA Question?
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted – but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.