Stop Before You Send Anything
When a vendor requests patient data, your first action should always be to pause and verify — not send. Sharing PHI with the wrong party, or without the right documentation in place, can constitute a HIPAA breach even if the vendor has legitimate business reasons for the request.
Step 1: Is This Vendor a Business Associate?
Under HIPAA, a "Business Associate" is any person or organization that creates, receives, maintains, or transmits PHI on your behalf while providing services to you. Common examples include:
- EHR/practice management vendors
- Billing and coding services
- IT support companies with system access
- Cloud storage providers where PHI is stored
- Transcription services
- Data analytics or reporting vendors
- Attorneys or accountants who access PHI as part of their services
If the vendor would handle, store, or have access to PHI as part of the service they're providing, they are a Business Associate.
Step 2: Is a Business Associate Agreement (BAA) in Place?
Before sharing any PHI with a Business Associate, a signed BAA must be in place. This is a non-negotiable HIPAA requirement. Check your vendor management records (or the Vendors section of your compliance portal) to confirm:
- Is this vendor listed in your system?
- Is there a signed BAA on file?
- Is the BAA current (not expired) and does it cover the type of PHI being requested?
Step 3: What If There's No BAA?
If no BAA exists, do not share the data. Instead:
- Inform the vendor that a BAA is required before any PHI can be shared
- Initiate the BAA process — use your portal's Vendor Management section or have legal counsel prepare a BAA
- Once the BAA is signed by both parties, you may proceed with the data sharing
- If the vendor refuses to sign a BAA, you cannot share PHI with them — and you should reconsider whether they're an appropriate vendor at all
Step 4: Apply the Minimum Necessary Standard
Even when a BAA is in place, HIPAA requires that you share only the minimum amount of PHI necessary to accomplish the purpose. Before sending:
- Confirm what specific information the vendor actually needs to perform their function
- Remove or de-identify any fields that aren't required for the stated purpose
- Do not send a full patient record if only a name and date of service is needed
- Document what was shared, with whom, and for what purpose
Step 5: Verify the Purpose Is Covered
The BAA permits PHI sharing only for specific permitted purposes — typically the services outlined in your service agreement. Confirm that the vendor's current request falls within those permitted uses. If they're asking for PHI for a new purpose not covered in the original agreement, you'll need to amend the BAA or service agreement before proceeding.
Step 6: Use Secure Transmission Methods
When you do share PHI:
- Use encrypted email, a secure file transfer portal, or encrypted storage
- Never send PHI via unencrypted email, SMS, or standard file-sharing services without encryption
- Confirm the vendor's secure receipt and document the transmission
Documentation Requirements
Keep a record of every PHI disclosure to vendors, including:
- Date of disclosure
- Vendor name and contact
- BAA reference
- Description of PHI shared
- Purpose of the disclosure
- Method of transmission
Patients have the right to request an accounting of certain disclosures of their PHI, so your records need to be accurate and retrievable.