Return, Destruction of PHI May Be Overlooked in Vendor Contracts

With health care organizations more reliant on vendors and more data in the cloud, they may want to consider the fate of the data when their contracts end. They have a stake in making sure protected health information (PHI) is properly disposed of.

Contracts with business associates should have specific references to the return or destruction of electronic PHI (ePHI) when the contracts end, said Debi Weatherford, executive director of internal audit at Piedmont Healthcare. “You want to make sure you have done everything possible to protect the ePHI,” she said.

That’s a requirement in the HIPAA privacy rule at 45 C.F.R. § 164.504, which states, “At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.[1]

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field