Generally, a vendor of a covered entity is not a business associate if it does not receive, use, disclose, or maintain PHI. Examples of vendors of covered entities that are not business associates include:
1. IT vendor that has access to hospital information systems solely to install, update, or maintain malware protection.
2. Cleaning service with access to staff offices, medical record rooms, or other areas in which PHI may exist.
that3. A software company that licenses a locally hosted program which utilizes or processes PHI.
that4. A consultant who is granted limited access to quality, compliance, or other internal reports which include only aggregate information.
5. Employees or members of a healthcare provider's workforce, including volunteers or others over whom the healthcare provider has control.
6. Other healhcare providers, while rendering treatment.
Persons who do not work with PHI as part of their job duties even though they may periodically see PHI, e.g., landlords.
7. Entities that are mere conduits for PHI but who do not regularly access PHI, e.g., the U.S. Post office, Internet Service Providers that do not store PHI
8. Entities acting on their own behalf, and not on behalf of the providers (for example: payers, credit card companies, and other financial institutions).
9. Government agencies performing their required functions (e.g., police, courts).
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article