In the OCR guidance that was issued in December, the very last question in the section on BA's says this:
Q: Is a software vendor a business associate of a covered entity? A: The mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the protected health information of the covered entity. If the vendor does need access to the protected health information of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity. For example, a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity. In these examples, a covered entity would be required to enter into a business associate agreement before allowing the software company access to protected health information. However, when an employee of a contractor, like a software or information technology vendor, has his or her primary duty station on-site at a covered entity, the covered entity may choose to treat the employee of the vendor as a member of the covered entity’s workforce, rather than as a business associate. See the definition of “workforce” at 45 CFR 160.103. I would say the need for a BAA then depends on the details of what you do for your customers. If you are a software retailer, like CompUSA or something like that, I'd argue no BAA is necessary. If you provide on site service and troubleshooting, or can remotely access the CE database, then I'd say you do need a BAA. I don't think a TPA is appropriate. My understanding is that this is a device from the Transaction and Code Set Standards and would only be used between parties that are conducting a covered transaction. COT agreements I believe are a creature of the long awaited Security Rule and since that is not finalized I don't think we can say if a COT is appropriate or not. Noel Chang -- Open WebMail Project (http://openwebmail.org) ---------- Original Message ----------- From: [EMAIL PROTECTED] (Jim Randolph) To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Thu, 23 Jan 2003 11:39:07 -0500 Subject: RE: to sign or not to sign > Let me carry this a step further. We are a software vendor that has > received BACs, TPAs and Chain of Trust agreements from different customers. > As a vendor to this particular customer base we are exposed to PHI > but never manipulate it in any way. Our support personnel do review > setup configurations, billing problems or DB issues; but don’t do > anything to PHI. Attorneys and consultants are advising our > customers so differently that no matter what, we end up being “the > evil vendor.” Some of the BACs we receive are rather ridiculous, > like requiring us to assume financial liability if our customer has > any HIPAA problems in the future. > > The question for the group is: What is required in this scenario a > BAC, TPA or COT? > > Jim Randolph > The Echo Group > > -----Original Message----- > From: Traci Winter [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 22, 2003 3:49 PM > To: WEDI SNIP Privacy Workgroup List > Subject: to sign or not to sign > > OK so the next question is do we sign these BACs or just put them in > the round file. Your answers reflected what my impression was, but I > wanted reinforcement. > > Thanks, > Traci Winter > --- > > --- > The WEDI SNIP listserv to which you are subscribed is not moderated. > The discussions on this listserv therefore represent the views of > the individual participants, and do not necessarily represent the > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to > receive an official opinion, post your question to the WEDI SNIP > Issues Database at http://snip.wedi.org/tracking/. These listservs > should not be used for commercial marketing purposes or discussion > of specific vendor products and services. They also are not > intended to be used as a forum for personal disagreements or > unprofessional communication at any time. > > You are currently subscribed to wedi-privacy as: > [EMAIL PROTECTED] To unsubscribe from this list, go to the > Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a > blank email to [EMAIL PROTECTED] If you > need to unsubscribe but your current email address is not the same > as the address subscribed to the list, please use the > Subscribe/Unsubscribe form at http://subscribe.wedi.org ------- End of Original Message ------- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org