HIPAA Compliance and Independent Contractors
 

Q. If we have independent contractors who handle protected health information (PHI), can we require them to take our annual Health Insurance Portability and Accountability Act (HIPAA) training as a condition of working for us without jeopardizing their independent contractor status? 

A. Under HIPAA regulations, an entity must train all members of its workforce on the policies and procedures related to PHI. The definition of “workforce” under HIPAA includes individuals under the direct control of the entity. Control is important, as it can trigger certain obligations for employers under various federal and state employment laws. For employment laws, the degree to which an employer “controls” the aspects of a job, and how the individual renders services, is one of the main factors used to gauge the proper classification of an employee or independent contractor regardless of what the employer labels the individual. Direct control could lead to a determination that an individual is an employee and not an independent contractor. 

In Idaho, the status is determined under an open-ended “right to control” test determined on a case-by-case basis. The Idaho Supreme Court has recognized that in cases where there is a doubt whether a worker is an independent contractor or employee, the matter will be resolved in favor of finding the worker to be an employee. Under the Fair Labor Standards Act (FLSA), an economic realities test is used, which looks at the totality of the circumstances and asks whether the employer has a right to proscribe how the worker performs the work. Thus, mandating an individual contractor’s attendance at training can endanger the classification even if the training may be required for compliance under federal law. This includes training for compliance under HIPAA. 

Options to avoid a misclassification would be to include offering the training for the independent contractors without making it a condition for continued work with the company or providing incentives for attendance. Unfortunately, these options will not ensure compliance under HIPAA, and compliance should instead be covered in the independent contractor agreement. Typically, where an independent contractor may acquire PHI, employers enter into agreements that include HIPAA compliance and confidentiality clauses and may even specifically require compliance with HIPAA provisions listed in Department of Health & Human Services Business Associate Contracts. The independent contractor will also need to agree that the employer be notified immediately if any HIPAA regulation is violated, even beyond the period of the agreement if the subject PHI is still being managed or stored.

Jason R. Mau is an attorney in the Boise, Idaho office of Parsons Behle & Latimer.  He can be reached at 208-562-4898 or sending an email to jmau@parsonsbehle.com.

Capabilities