Health Information Compliance Alert

Temporary employees can save the day when business booms but if you don't know how to treat them under HIPAA, you could be headed for trouble. And with the compliance deadline looming, the status of temporary workers appears to be a point of confusion for many covered entities.

"People are all over the place on this," says Steve Bernstein with Boston-based McDermott Will & Emery. According to Bernstein, covered entities and temp agencies have been adopting a range of strategies to deal with temporary employees.

In some cases, says Bernstein, temp agencies are taking the position that while the corporate part of the agency is not itself a business associate, the temporary employees that it hires out are. If your temp agency takes this approach, advises Bernstein, then all of the normal rules governing business associates apply and you'll need, among other things, written contracts with each individual temp. More importantly, you'll also need to remember that it's still your job to ensure that your temps like all your other business associates comply with your privacy policies and procedures.

In other cases, says Bernstein, covered entities are taking the simpler approach of incorporating temporary workers into their standard work force "so that they take on and accept the HIPAA privacy policies of the underlying covered entity." This last approach seems to be the most popular.

"I've been telling people to treat temps as members of the work force," says Amy Fehn, with Royal Oak, MI's Wachler and Associates. "If you have control over a temporary employee, they would be considered a member of your work force, based on the definition of 'work force' in the privacy rule."

That definition counts as work force all "employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity."

However, it's important to remember, notes Fehn, that if your going to consider temporary employees as members of your work force, then HIPAA requires you to train temps on your company's privacy policies and procedures in the same way you would treat your permanent work force. That means that you'll have to train temps on those policies "within a reasonable period of time" after they join your company. It also means that you must document that the training has been provided.

In addition, Fehn points out that like any member of your work force, you should have your temporary workers sign a confidentiality agreement that includes a provision requiring the temp to maintain that confidentiality after their service with you is completed.

So what's the upshot of these different approaches? A simple point: Whether you treat your temporary employees as business associates or as work force, you are still responsible for ensuring they comply with your company's HIPAA procedures.