XIRI Facility SolutionsHIPAA and Your Cleaning Crew: What Janitorial Vendors Need to Know

Why HIPAA Applies to Your Cleaning Contractor

The Health Insurance Portability and Accountability Act (HIPAA) protects patient health information — and that protection extends to anyone who could access it, including your after-hours cleaning crew. Under the HIPAA Security Rule and Privacy Rule, a janitorial vendor who enters a medical office with access to Protected Health Information (PHI) may qualify as a Business Associate. Penalties for HIPAA violations range from $141 to $2,134,831 per violation category, with a maximum of $2,134,831 per identical violation per year (2024 HHS penalty schedule). An unlocked chart room and a cleaning crew without training is all it takes.

When Your Cleaning Vendor Is a Business Associate

Not every cleaning contractor qualifies as a Business Associate under HIPAA — but many do. The determining factor is access, not intent:

• If your cleaning crew has unsupervised access to areas where PHI is stored, displayed, or accessible — they are likely a Business Associate
• If your crew can see patient names on sign-in sheets, prescription labels in trash, or information on unattended computer screens — that constitutes potential PHI exposure
• If PHI exposure is "reasonably anticipated" during cleaning operations, a Business Associate Agreement (BAA) is required under 45 CFR 164.502(e)
• A BAA does not need to be complex — it establishes that the vendor will safeguard PHI, report breaches, and train their employees accordingly

The 4 HIPAA Risks Your Cleaning Crew Creates

These are the four most common HIPAA exposure vectors created by after-hours cleaning operations:

• Visual Exposure — Patient charts left on desks, sign-in sheets at reception, lab results on counters, or patient information visible on unlocked computer screens
• Trash and Shredding — Prescription labels, appointment slips, EOBs, and printed patient records in regular trash instead of secure shredding bins
• Unlocked Access — Cleaning crew given master key or code access to records rooms, file cabinets, or medication storage without need-to-know justification
• Photography — Cleaning crews using personal phones to photograph task completion in areas where PHI is visible in the background

How to HIPAA-Proof Your Cleaning Program

Protecting PHI during cleaning operations requires controls on both sides — your practice and your vendor. Here is the practical framework:

• Execute a BAA — If your cleaning vendor has unsupervised access to areas with PHI, execute a Business Associate Agreement before they start. This is a legal requirement, not a best practice
• Define restricted zones — Not every room needs to be accessible to cleaning. Lock records rooms, medication cabinets, and server rooms. Provide access only to the areas that need cleaning
• Implement a clean-desk policy — Require staff to secure PHI before leaving for the night. Flip charts face-down, log out of computers, close file drawers. This is your responsibility, not the cleaner's
• Train your cleaning crew — Conduct HIPAA awareness training covering: what PHI looks like, what to do if they see it, and the absolute prohibition on reading, photographing, or discussing patient information
• Ban personal phones in PHI areas — Require cleaning crews to leave personal devices in a designated area when working in patient care zones. XIRI enforces this in all our medical facility protocols
• Audit compliance — Your facility should periodically verify that PHI is properly secured before the cleaning crew arrives, and that the crew follows restricted-zone protocols