Different third parties
Different third parties have varying needs for access to PHI; some do not need access at all, while others will see many items of identifying information about patients. When a third party needs access to PHI, HIPAA kicks in, imposing security and privacy requirements on the organization. Therefore it is important to know what information constitutes PHI, so you can determine how a third-party contractor must be managed. In addition, you need to know what safeguards must be in place if access to PHI is granted. In this assignment, you will develop a decision tool to determine if access to PHI is required and what types of safeguards must be in place before a business associate is given access to PHI. To protect patient privacy and information security and to avoid HIPAA compliance violations, a covered entity should give the third party only as much access as it needs to perform its function.
Preparation: Research as needed to determine which data constitutes PHI. Use the video in the Resources as an overview of security procedures related to HIPAA. Review the other resources for information on security requirements.
Develop a decision tool that can be used to determine a third party’s need to access to PHI. Your tool should adhere to the following requirements:
- List which information is defined as PHI.
- Provide the criteria to determine if safeguards are required under HIPAA.
- Indicate which safeguards must be in place if a third party uses PHI.
- Decide if a business associate needs access to PHI based on the service they provide.
- Explain the three types of safeguards (administrative, physical and technical) required to protect health information.