HIPAA for Contractors and Locums

Small medical clinics rely on non-employee workers more heavily than most industries. Locum physicians cover vacations and unexpected absences. Temporary medical assistants fill gaps during hiring. Independent billing services handle claims. Medical scribe companies provide documentation support.

Each arrangement creates a HIPAA compliance obligation. Which obligation, and who bears it, depends on a distinction most clinics misapply.

The Workforce Member vs. Business Associate Distinction

HIPAA draws a clear line between two categories of people and organizations that have contact with PHI.

Workforce members are defined in 45 CFR § 164.103 as employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of the covered entity - whether or not they are paid by the covered entity.

Business associates are defined in 45 CFR § 160.103 as persons or entities that perform functions or activities involving the use or disclosure of PHI on behalf of a covered entity, where those functions or activities are performed with a degree of independence from the covered entity’s direct control.

The employment relationship - W-2 versus 1099, permanent versus temporary - is not the determining factor. The determining factor is control: does the covered entity directly supervise and direct the person’s work, or does the person operate independently using their own processes and systems?

The compliance obligations differ based on the classification:

• Workforce members: the clinic is responsible for their HIPAA training, access controls, and policy compliance. The clinic’s sanctions apply if they violate policies.
• Business associates: the business associate maintains its own security program and compliance obligations. The clinic protects itself through a signed BAA and periodic oversight.

Workforce Member Contractors: What This Means Operationally

A contractor who works on-site at your clinic, uses your systems, follows your scheduling, and is directed by your staff in their daily work is a workforce member for HIPAA purposes - regardless of how they are paid or how their staffing is arranged.

For workforce member contractors, the clinic’s obligations are the same as for any other workforce member:

• HIPAA training. The contractor must complete the clinic’s role-appropriate HIPAA training before independently handling PHI. The fact that they are a temporary placement or an independent contractor does not exempt them from this requirement.
• Clinic-issued credentials. The contractor must have individual, clinic-issued credentials for every system they access. They should not use another staff member’s login. They should not use credentials from a previous engagement at the clinic.
• Access controls. The contractor’s system access should be calibrated to their role, consistent with the minimum necessary standard, the same way a permanent employee’s access would be.
• Off-boarding. When the contractor’s engagement ends, their access must be revoked promptly - the same off-boarding process that applies to terminated employees applies to contractors whose engagements conclude.
• Sanctions. If the contractor violates the clinic’s HIPAA policies, the clinic’s sanction policy applies. The fact that they are not a direct employee does not insulate them from consequences or the clinic from responsibility for their actions.

Business Associate Contractors: What This Means Operationally

A contractor who provides services to the clinic using their own systems, processes PHI without day-to-day supervision from clinic staff, and operates with a degree of independence from the clinic’s direct control is a business associate.

For business associate contractors, the clinic’s obligations center on the BAA and periodic oversight:

• Executed BAA before PHI is shared. No PHI may be transmitted to or accessed by a business associate until a BAA is signed by both parties. This is a hard prerequisite, not a formality to complete after the relationship is already running.
• Verify the BAA covers the actual scope of services. A BAA is not a generic document that transfers all risk. It should accurately describe the functions the business associate performs and the PHI they will handle.
• Periodic review. The clinic should have a record of when the BAA was last reviewed and whether the business associate’s security practices remain adequate. This does not require annual on-site audits - a periodic written review or questionnaire is sufficient for most small clinic relationships.
• Subcontractor consideration. Business associates are required to flow down BAA obligations to their own subcontractors who handle PHI. For key business associate relationships, confirm that subcontractor BAAs are in place.

Locum Physicians

Locum physicians are among the most commonly misclassified relationships in small clinic compliance programs. Clinics sometimes treat locums as business associates and execute BAAs with them, when the correct treatment is workforce member.

A locum physician who:

• Practices medicine at your clinic
• Uses your EHR and documentation systems
• Sees patients under your clinic’s name
• Is supervised within your clinical structure
• Operates under your clinic’s policies and procedures

…is a workforce member for HIPAA purposes. The fact that they are placed by a staffing agency, paid hourly, or engaged for a limited period does not change this analysis.

The practical requirements for a locum physician:

• Clinic-issued EHR credentials (never under another provider’s login)
• Completion of clinic HIPAA training before independent patient contact
• Policy acknowledgment consistent with what other providers sign
• Access removal when the locum engagement ends, on or before the final day

The locum’s staffing agency - the entity that manages payroll, placement, and the employment relationship - may separately be a business associate if the agency itself has access to PHI. Assess the agency relationship independently.

Medical Scribe Services

Medical scribe services are a case where the classification can go either way depending on the arrangement.

A scribe who is physically present in the exam room with the provider, documenting the encounter in real time under the provider’s direct supervision, using clinic credentials, is operating as a workforce member. The clinic is responsible for their training and access controls.

A remote scribe service that receives audio recordings of encounters and returns transcriptions - using their own systems, without day-to-day supervision from clinic staff - is a business associate. A BAA is required before any audio recordings containing PHI are transmitted.

Some scribe companies offer hybrid arrangements. Evaluate each arrangement based on where the actual work occurs and who supervises it.

Temporary Staffing Agency Relationships

When a staffing agency places a temp worker at the clinic, the compliance picture involves two separate questions:

Question 1: Is the placed individual a workforce member?

If the temp works on-site using clinic systems under clinic supervision, yes. The clinic is responsible for HIPAA training and access controls for that individual, regardless of the agency billing arrangement.

Question 2: Is the staffing agency a business associate?

This depends on whether the agency has access to PHI. In most standard staffing arrangements, the agency does not access patient records - they manage the employment relationship for the placed individual. In that case, the agency is not a business associate.

However, if the agency provides nursing, clinical, or administrative services where the agency itself (not just the individual placed) has access to PHI - for example, managing scheduling records that include patient information - then the agency may be a business associate and a BAA may be required.

Evaluate each staffing arrangement on its actual structure, not its label.

Common Mistakes and How to Correct Them

Treating all contractors as business associates

This is the most common error. It happens because “sign a BAA” feels like a complete compliance action, and it is easier than working through the workforce member analysis.

Contractors who are workforce members receive a BAA instead of training and access controls. The BAA does not transfer the clinic’s responsibility for a workforce member’s conduct. If the contractor violates the clinic’s policies, the clinic is accountable - BAA or not.

Correction: Apply the workforce member test first. If the contractor works under clinic supervision using clinic systems, treat them as a workforce member. Execute a BAA only for contractors who operate independently with PHI using their own systems.

Giving locums access under another provider’s credentials

This happens when a locum arrives and the front desk or EHR administrator has no process for provisioning new credentials quickly. Using another provider’s login creates a Security Rule violation (shared credentials) and destroys the audit trail for both providers’ clinical documentation.

Correction: Every EHR should have a provisioning process for locum credentials that can be completed within 24 hours of confirmed engagement. The locum’s engagement dates should be known in advance in most cases.

Failing to off-board contractors at engagement end

When a contractor’s engagement ends without a formal off-boarding process, their credentials may remain active. The same risks that apply to terminated employees apply to contractors whose engagements conclude.

Correction: Treat the end of a contractor engagement as a termination event for access management purposes. Execute the off-boarding checklist, revoke credentials on or before the final day, and document completion.

Executing a BAA but never verifying security practices

A BAA establishes legal obligations for the business associate. It does not guarantee that those obligations are being met. For high-volume or high-sensitivity relationships - billing companies, transcription services - the clinic should periodically verify that the business associate maintains adequate security practices.

Correction: Add a periodic review step for key business associate relationships. A written attestation or security questionnaire from the business associate, reviewed annually, is a reasonable standard for most small clinic relationships.

Documentation Requirements by Relationship Type

Contractor Type	Classification	Required Documentation
On-site locum physician	Workforce member	Training record, policy acknowledgment, credential issuance log, off-boarding checklist
On-site temp MA / clinical support	Workforce member	Training record, policy acknowledgment, credential issuance log, off-boarding checklist
Remote billing company	Business associate	Executed BAA, periodic security review record
Remote medical coding service	Business associate	Executed BAA, periodic security review record
Remote transcription service	Business associate	Executed BAA, periodic security review record
On-site scribing (under provider supervision)	Workforce member	Training record, policy acknowledgment, credential issuance log
Remote scribe service (audio-to-text)	Business associate	Executed BAA
Staffing agency (no direct PHI access)	Neither	Contract with HIPAA cooperation clause recommended
Staffing agency (with PHI access)	Business associate	Executed BAA

What Covered Entities Are Responsible For

Regardless of how a contractor is classified, your clinic remains responsible for the PHI in its custody. A business associate that suffers a breach involving your patients’ records triggers notification obligations on your part. A workforce member contractor who accesses PHI outside their authorized scope is your compliance problem.

The contractor relationship does not transfer the accountability that comes with being a covered entity. The proper structure - workforce member treatment or BAA - clarifies obligations, creates documentation that the right steps were taken, and gives the clinic something concrete to show regulators if the relationship is later scrutinized.

PHIGuard tracks training completion, policy acknowledgments, and off-boarding steps for both permanent staff and contractors, with the same audit trail regardless of employment type. See pricing for plan details.