Last updated: March 9, 2026
This Stony Brook guide is part of our Commercial Cleaning Services resource library.← View the full HIPAA and Your Cleaning Crew: What Janitorial Vendors Need to Know guide
Why HIPAA Applies to Your Cleaning Contractor
The Health Insurance Portability and Accountability Act (HIPAA) protects patient health information — and that protection extends to anyone who could access it, including your after-hours cleaning crew. Under the HIPAA Security Rule and Privacy Rule, a janitorial vendor who enters a medical office with access to Protected Health Information (PHI) may qualify as a Business Associate. Penalties for HIPAA violations range from $141 to $2,134,831 per violation category, with a maximum of $2,134,831 per identical violation per year (2024 HHS penalty schedule). An unlocked chart room and a cleaning crew without training is all it takes.
When Your Cleaning Vendor Is a Business Associate
Not every cleaning contractor qualifies as a Business Associate under HIPAA — but many do. The determining factor is access, not intent:
- If your cleaning crew has unsupervised access to areas where PHI is stored, displayed, or accessible — they are likely a Business Associate
- If your crew can see patient names on sign-in sheets, prescription labels in trash, or information on unattended computer screens — that constitutes potential PHI exposure
- If PHI exposure is "reasonably anticipated" during cleaning operations, a Business Associate Agreement (BAA) is required under 45 CFR 164.502(e)
- A BAA does not need to be complex — it establishes that the vendor will safeguard PHI, report breaches, and train their employees accordingly
The 4 HIPAA Risks Your Cleaning Crew Creates
These are the four most common HIPAA exposure vectors created by after-hours cleaning operations:
- Visual Exposure — Patient charts left on desks, sign-in sheets at reception, lab results on counters, or patient information visible on unlocked computer screens
- Trash and Shredding — Prescription labels, appointment slips, EOBs, and printed patient records in regular trash instead of secure shredding bins
- Unlocked Access — Cleaning crew given master key or code access to records rooms, file cabinets, or medication storage without need-to-know justification
- Photography — Cleaning crews using personal phones to photograph task completion in areas where PHI is visible in the background
How to HIPAA-Proof Your Cleaning Program
Protecting PHI during cleaning operations requires controls on both sides — your practice and your vendor. Here is the practical framework:
- Execute a BAA — If your cleaning vendor has unsupervised access to areas with PHI, execute a Business Associate Agreement before they start. This is a legal requirement, not a best practice
- Define restricted zones — Not every room needs to be accessible to cleaning. Lock records rooms, medication cabinets, and server rooms. Provide access only to the areas that need cleaning
- Implement a clean-desk policy — Require staff to secure PHI before leaving for the night. Flip charts face-down, log out of computers, close file drawers. This is your responsibility, not the cleaner's
- Train your cleaning crew — Conduct HIPAA awareness training covering: what PHI looks like, what to do if they see it, and the absolute prohibition on reading, photographing, or discussing patient information
- Ban personal phones in PHI areas — Require cleaning crews to leave personal devices in a designated area when working in patient care zones. XIRI enforces this in all our medical facility protocols
- Audit compliance — Your facility should periodically verify that PHI is properly secured before the cleaning crew arrives, and that the crew follows restricted-zone protocols