Last week the American Dental Association published a response from The Office of Civil Rights (OCR) regarding whether or not Dental Labs require a Business Associate Agreement. Their response was: no, they are not considered Business Associates because they are considered a Covered Entity as a Healthcare Provider.
That’s great clarification, however, many labs don’t acknowledge they are a Covered Entity. In states like California, Dental Labs are not required to have a DDS or DMD on staff, some labs attempt to skirt both the Covered Entity or Business Associate titles.
In order to send Protected Health Information (PHI) to another business or person, they have to either be a Covered Entity, Business Associate or the patient themselves. Per OCR: All disclosures must be categorized as a Covered Entity or Business Associate to be permissable. If not, then you are breaching Protected Health Information.
What To Do?
Ensure the vendors you use acknowledge they are a Covered Entity. If they say they aren’t a Covered Entity, you have two choices: categorize them as a Business Associate since they are creating, receiving, maintaining or transmitting PHI on your behalf, or cease all business with them.
Once you’ve defined your HIPAA relationship, make sure they aren’t doing things like writing names of patients on the outside of the box or in the shipping label (I’ve watched delivery services say the names in a crowded waiting room).
If they don’t acknowledge or accept your terms, consider finding different vendors — this is your patient information after all, and you are expected to protect it to the best of your ability, including the vendors you refer work to.