HIPAA Compliance for Vendor Partnerships: What Long-Term Care Facilities Need to Know

Long-term care facilities work with many outside partners — mobile x-ray, laboratory services, consultants, pharmacies, therapy providers, and more. Each vendor plays an important role in resident care, but they also introduce potential risks if privacy and security protocols aren’t properly managed.

HIPAA compliance isn’t just about internal processes inside your facility. It’s also about ensuring that every vendor who handles or has access to Protected Health Information (PHI) is secure, compliant, and following the same standards your staff is held to.

Here’s a clearer look at what surveyors — and CMS — expect when it comes to vendor partnerships and HIPAA compliance.

Why HIPAA Applies to Vendor Relationships

Any vendor that creates, receives, transmits, or stores resident health information is considered a Business Associate. That means they are legally required to protect PHI, follow privacy rules, and maintain safeguards.

For long-term care facilities, this includes:

• Mobile X-ray and diagnostic imaging companies

• Therapy providers

• Billing services

• Consultants

• IT and EMR service companies

• Telehealth providers

• Labs and pharmacies

If they touch PHI, they’re part of your compliance responsibility.

Business Associate Agreements: The Non-Negotiable Requirement

One of the top items CMS surveyors look for is a current, signed Business Associate Agreement (BAA) between your facility and any vendor handling PHI.

A BAA outlines:

• How PHI is protected

• How data is transmitted or shared

• Requirements for breach reporting

• Security measures the vendor is responsible for

• How PHI should be returned or destroyed if the contract ends

Missing or outdated BAAs are one of the most common and preventable compliance violations.

What to Expect From a HIPAA-Compliant Mobile Imaging Provider

A reputable mobile x-ray or diagnostic company should make compliance simple.

You should be able to easily request or review:

✔ Technologists credentials and licensure

Documented, current, and available on request.

✔ Secure, encrypted transmission of images and reports

No CDs, USB drives, or unsecured emails.

✔ Role-based access

Only authorized facility staff should be able to view images, results, or PHI.

✔ Clear breach-notification procedures

Vendors must have written policies for handling and reporting data incidents.

✔ Staff training and annual HIPAA refreshers

Technologists and administrative staff should be regularly trained on privacy standards.

✔ Signed BAA on file

Up-to-date and accessible at any time.

These elements are key to demonstrating proper oversight during a state or federal survey.

How LTC Facilities Can Strengthen Vendor Oversight

While vendors are responsible for their own compliance, facilities must also show they maintain oversight.

Here are simple steps that improve both compliance and survey readiness:

1. Keep a central vendor binder or digital folder

   Include contracts, BAAs, credentials, insurance, and annual updates.

2. Audit vendor communications

   Ensure PHI is only shared through secure platforms or portals.

3. Review your mobile imaging partner annually

   Check for changes to licenses, insurance, or compliance documentation.

4. Confirm that imaging reports are stored properly

   Every result should be entered into the resident’s EMR, neatly tied to the signed order.

5. Ask vendors about their cybersecurity measures

   Firewalls, encryption, secure access — surveyors increasingly ask about this.

Final Thoughts

HIPAA compliance isn’t just an internal responsibility — it’s a partnership. When your mobile imaging provider follows strong privacy and security standards, it not only protects resident data but also strengthens your facility’s overall compliance profile.

Choosing vendors, such as Mobile X-ray of Louisiana who prioritize HIPAA compliance reduces risk, supports smoother surveys, and ensures residents receive safe, secure, and dignified care.