If you are a health care clinic or other office setting, do you have a policy that governs those individuals or “business invitees” who may request and be granted the opportunity to observe or participate in some aspect of your business or clinical operations for a legitimate business purpose? These individuals typically fall into three categories.

The first category includes health professional students who observe or participate in the delivery of patient care as part of their clinical training, and who qualify as a member of your organization's Workforce under HIPAA.[1]

The second category includes health care consultants and other third parties who require some level of access to your patients and their protected health or other personal information (“PHI”) in order to provide clinical or business services on behalf of your organization, subject to the terms and conditions of a HIPAA-compliant Business Associate Agreement.[2]

The third category includes those “business visitors” who are authorized to be on your premises for legitimate business purposes – perhaps to learn more about your organization’s experience with a new device or system or to stock your break room’s vending machines – and who might encounter certain “incidental” access to your patients and their PHI while on your premises, for which a Business Visitor Confidentiality Agreement would be required.

In all cases, these arrangements require certain HIPAA and other safeguards that should be addressed by way of a written policy. Let us offer a checklist to assist you in reviewing (or creating) this important policy.

  • Categories. The Policy should specify the three categories of business invitees that may be authorized under the Policy. In any case, the Policy should affirmatively exclude any individual who is under the age of 18 years of age or who has been sanctioned by the Medicare, Medicaid or other Federal Health Care Programs.
  • Application and Screening. The Policy should also specify the specific written information that must be submitted, in advance, to confirm the individual(s)’ identity (e.g., driver’s license), applicable educational or business affiliations and credentials, all of which requires verification by one of your organization’s key persons. If direct patient contact is involved, additional information to confirm vaccinations or other health information may be required.
  • Orientation and Training. The Policy shall also specify any general orientation or HIPAA-related training that may be required, as in the case of health professional students who qualify as Workforce while on your premises, subject to your direction and control.
  • Documentation. Prior to any arrangements that may involve access to patients or their PHI, whether authorized or incidental, each of the three groups should complete all documentation required as part of your HIPAA compliance program.
    • In the case of health professional students, your organization and the academic program should complete the necessary documentation to confirm the clinical training program requirements and your organizational safeguards.
    • In the case of consultants, your organization should confirm the terms and conditions of the engagement, in writing, to which an executed, HIPAA-compliant Business Associate Agreement should be attached.
    • In the case of a “business visitor” arrangement, a standard “confidentiality and non-disclosure” agreement should be executed by the parties.
  • Additional Requirements. To the extent these business invitees have any opportunity to observe or participate in patient care as part of their on-premises experience, your treating professionals should ensure that all patient consents are confirmed, in writing. It is also prudent to prohibit the use of any cell phones or other mobile devices during these on-premise encounters. Lastly, these individuals should be properly identified and supervised, while on your premises, so to ensure that any encounters with your patients and workforce are professional and appropriate at all times.
  • Non-HIPAA Liability Considerations. An employee who is injured at work is likely subject to the worker’s compensation rubric for which the organization is likely insured. Visitors, who may be on the premises primarily for their own benefit, are likely not subject to worker’s compensation and may be free to file a lawsuit in the event that they are injured on the premises as a result of the condition of the premises or resulting from interaction with a patient. Consideration should be given to whether the organization should require a release of claims and indemnification from such business visitors.