A healthcare system's Privacy Officer is reviewing third-party vendor relationships. Which of the following vendors requires a Business Associate Agreement?
-
A
A cleaning company that accesses patient care areas but not patient records
-
B
A law firm providing legal advice to the organization regarding HIPAA compliance
-
C
A cloud storage vendor that maintains backups of encrypted ePHI where only the covered entity holds the decryption keys
-
D
A medical transcription company that transcribes physician notes containing PHI