The government has created the concept of “business associates” to address this. A business associate is a person or entity, outside of a covered entity, that has access to health information.
Examples include: billing companies, transcription services, practice management companies, financial managers, auditors, service providers, software vendors, or data storage companies.
To comply with the privacy regulation, a covered entity must have a written contract with a business associate that guarantees the privacy of personal health information to the same standards as a covered entity. Such a contract benefits a covered entity as they know that they are dealing with a business that understands, and complies, with HIPAA guidelines.