According to Federal HIPAA compliance regulations, a Business Associate Agreement (BAA) needs to be established for any third-party work being done for a healthcare provider. Such agreements usually address the handling of actual patient records.
According to the U.S. Department of Health and Human Services, You become HIPAA compliant in one of two ways:
- Avoid all access to or handling of all healthcare related data, or
- If you must handle healthcare data, comply with the best practices.
For the tech services we offer, we avoid all access to or interaction with health records, which for purposes of this document would be described as printed or on-screen human readable materials.
Tasks like replacing a broken keyboard, installing an Ethernet cable, or running a Windows update, would not require access to patient records. If a technician says they need access to confidential patient records to make sure your mouse is working, you need to find another technician.
In an office that adequately meets HIPAA compliance requirements, patient records are physically and digitally secured, so IT support can be provided without concern about a need for access to patient data. Even so, ICT will make an additional effort to completely avoid accessing, viewing, or interacting with patient data.
Even if an office is not fully HIPAA compliant (e.g. If patient data is readily accessible without password protection or patient files are left out on counters), ICT would not touch, access, view, or handle any patient data even if it were available.
We keep up with the latest best practices regarding tech security, and we have completed HIPAA training, but we are not a HIPAA certified service provider and do not keep up with the latest requirements for compliance. You will need a HIPAA compliance company (like having a skilled tax accountant) who can continuously improve your HIPAA compliance in accordance with the latest evolving guidelines and practices.
Our promise is to stringently follow best practices for privacy. However, due to the broad and varied vulnerabilities present in most offices and practice management systems, as well as access by other third parties, or undetected system compromises, ICT shall not be held liable for any data loss or breach because too many factors are outside of our control. An example would be if a security breach resulted in loss of healthcare data, ICT would not accept liability for that.
This agreement is based on IT services being provided to your organization, office, or business by Iowa City Tech (ICT). With your digital signature below, in working with ICT, you acknowledge that every effort will be made by ICT to keep health and other personal information private and safe.
By typing your name below, as the business owner or authorized agent, your digital signature conveys that you have read the above agreement and accept its terms.
(Agreement Version: 20220302WE2153)