Scenario: In continuing with our previous case study, Dr. Johnson ended up signing a business associate contract with another answering service that was HIPAA compliant. That answering service utilized a voice and data IT company to service their equipment and computers.
Question: What does the answering service need to do to be able to work with that voice and data IT company?
The answering service must ensure the IT company is HIPAA compliant before sharing access to its systems since they may contain PHI. Just like Dr. Johnson, the answering service must ensure that the IT company is legally responsible for the PHI they receive or have access to by having them sign a business associate contract.
This now forms a chain of trust from Dr. Johnson to the answering service and to the IT company.