When a cleaning crew enters a medical office after hours, they're working in an environment filled with protected health information (PHI) — patient files on desks, lab results in printers, billing information on screens, and prescription pads in drawers. HIPAA's Privacy and Security Rules don't stop applying because the clinical staff went home. Cleaning companies working in healthcare environments have specific obligations under HIPAA, and medical offices have specific responsibilities in managing their cleaning vendors. This guide clarifies both sides.
Is Your Cleaning Company a Business Associate?
Under HIPAA, a Business Associate is any entity that performs functions or activities on behalf of a covered entity (healthcare provider) that involves access to PHI. The key question is whether the cleaning company will have routine access to areas where PHI is present. If cleaning staff regularly access exam rooms, medical records areas, billing offices, or any area where patient information may be visible or accessible, the cleaning company likely qualifies as a Business Associate and should execute a Business Associate Agreement (BAA). The 2013 HIPAA Omnibus Rule expanded Business Associate obligations, making BAs directly liable for HIPAA compliance — not just the covered entity.
Practical HIPAA Protocols for Cleaning Operations
Cleaning companies working in healthcare should implement several HIPAA-conscious practices. Staff should never read, photograph, or discuss any patient information encountered during cleaning. Documents found outside of secured areas should not be moved or sorted — they should be left in place or placed in a designated 'found documents' location per the practice's protocol. Shredding bins should never be emptied by cleaning staff unless specifically authorized and documented. Computer screens visible during after-hours cleaning should not be accessed or interacted with. Any suspected breach (finding PHI in public areas, unsecured records, etc.) should be reported to the practice's designated privacy officer.
Employee Training and Background Checks
HIPAA doesn't specifically mandate background checks, but it requires reasonable safeguards for PHI protection. In practice, this means cleaning staff assigned to medical facilities should undergo criminal background checks, receive HIPAA awareness training covering the basics of PHI protection, understand the practice's specific policies for handling found documents, and sign confidentiality agreements. Training should be documented and refreshed annually. The cleaning company should be able to provide training records upon request — this is a common question during HIPAA compliance audits of the covered entity.
Physical Security During Cleaning
After-hours cleaning operations create physical security considerations under HIPAA. Cleaning staff should use only authorized access points and follow key/card protocols. Medical records rooms and server rooms may require separate access authorization beyond general building access. Cleaning crew should not prop open doors to restricted areas. Alarm systems should be properly managed during cleaning shifts — cleaning company leadership should have current alarm codes and protocols. Any after-hours visitors or deliveries should be handled per the practice's security policy, not at the cleaning crew's discretion.
GreenPoint provides HIPAA-aware cleaning services for medical offices across all five states we serve. Every healthcare crew member receives HIPAA training, undergoes background checks, and signs confidentiality agreements. We execute Business Associate Agreements with healthcare clients as a standard practice — not as an afterthought.