Asking for your opinion please!
Based on Wedi's Business Associate Decision tree, Stericycle, our Biohazardous Waste/Sharps Management Company, is a business associate and should sign a business associate agreement. The biohazard bags they dispose of contain waste that has protected health information on it, such as patient labels with names, birthdates, etc. Stericycle then transports the bags for disposal.
Wedi's question "Will the other person or entity be able to access PHI on a routine basis AND/OR is there a possibility that the PHI in the person or entity's custody or control could be compromised (e.g., data storage vendor, document shredding company, or other, etc.)?" helped me make this decision. What do you think, am I on the right track?
I think you're right on! If there is patient information on the waste items, and they have possession of it...you don't know what could happen. So they need to be contractually obligated to protect the patient data.
Scot Lovejoy RPh. CFP CHC
Chief Pharmacy Officer
9 Campus Drive, 2nd Floor East
Parisippany, N.J. 07054
(O) 973-540-8400 x227
Confidentiality Notice: This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure. If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system. Thank you.
Hi Cinda, yes I would consider them a BA and initiate a BAA with them.
Erin M. Jack, RHIA, CHC, CHPC
Privacy & Data Ethics Official
Data Ethics, Policy, and Privacy Department
Forbes Hospital - Office: 412-858-2534
Allegheny Valley Hospital - Office: 724-389-6520
Thank you everyone for your feedback!