Why Healthcare Staffing Agencies Must be HIPAA Compliant

Healthcare Staffing HIPAA

A healthcare staffing agency can be either a business associate or a covered entity, depending on what it does. Generally, if the agency provides temporary personnel placement to the covered entity, the agency is acting as part of the covered entity’s workforce. As such, the staffing agency and its temp employees performing the temp work, are regarded as part of the covered entity. This means that the staffing agency, since it is acting as a covered entity, must provide HIPAA Security Rule and HIPAA Privacy Rule training to the temp employees.

Sometimes, the service the staffing agency provides is not related to temporary personnel placement. For example, a staffing agency may perform advertising, billing, or marketing services (among other services) for a covered entity. These services, if they require the staffing agency to create, transmit, store, or receive PHI, are considered to be business associate services. Therefore, the staffing agency is acting as a business associate, and must enter into a business associate agreement with the covered entity. The healthcare staffing agency, now acting as a business associate (instead of as a covered entity) is still responsible for training staff annually on HIPAA requirements. Training ensures that staff members are adhering to the proper use and disclosure of PHI.

How Do I Become HIPAA Compliant?

Many organizations don’t understand the complexities of being truly HIPAA compliant. The Department of Health and Human Services (HHS) developed regulations that every organization handling PHI must adhere to. 

This includes the HIPAA Security Rule mandating specific administrative, physical, and technical safeguards, that must be in place in order to be HIPAA compliant

Administrative Safeguards

These are safeguards that you must put in place in order to ensure that staff members are properly trained in order to execute the security measures you have in place. Administrative safeguards should include policies and procedures that document the security safeguards you have in place, as well as employee training on those policies and procedures to ensure that they are being properly executed.

Physical Safeguards

These are the safeguards that your business puts in place to protect the physical security of your offices where PHI or ePHI may be stored or maintained. Common examples of physical safeguards include alarm systems, security systems, and locking areas where PHI or ePHI is stored.

Technical Safeguards

These are the safeguards that you must put in place to protect the cybersecurity of your business. Technical cybersecurity safeguards must be implemented in order to protect the ePHI that is maintained by your business. Examples of technical safeguards include firewalls, encryption, and data backup.

As part of the regulation, you must limit the use and transmission of PHI to the minimum necessary to complete your job. You must also limit the access of PHI to only those healthcare staff members that need it to complete their jobs. In addition, business associate agreements (BAAs) must be in place to ensure that PHI is properly disclosed and safeguarded.   

Track All Regulations on One Platform

Centralize and streamline healthcare compliance management.

Global CTAs Image