All good points As usual, there are two sides to every argument. Whether you sign a vendor initiated BA contract or not is a business decision. HIPAA does not disallow this activity, but it does not require you to sign every BA contract that crosses your door. At least you know that this vendor is HIPAA savvy when you throw their agreement away. Start to worry about the vendors who have not initiated any discussion. Obviously Carolyn's company understands enough about HIPAA to know the operational impacts on her business. What about those who don't?
-----Original Message----- From: Price, Carolyn [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 2:34 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: to sign or not to sign Leslie: There are many different types of vendors who may be Business Associates. Those who perform a function for many different clients are often accessing PHI in order to fulfill their business obligation. It is not workable to have a different set of rules, imposed by each client, to perform the business function. This will lead to almost certain errors. Better to have one set of rules, spelled out clearly, to allow them to do what they have been hired to do. The BAK should spell out what safeguards will be imposed, and what the BA will do in order to assure compliance with HIPAA. I understand that you are the covered entity,but you also expect your BA to be compliant, and to perform in an error-free manner. There will be some BAs who have a valid reason for asking you to sign their agreement. Carolyn Price -----Original Message----- From: Harpe, Leslie [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 11:13 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: to sign or not to sign I don't think vendors should write agreements. I represent a hospital that is getting a lot of agreements from vendors. I say this with strong conviction, I do not want to sign vendor agreements. I think that if I've given you access to my patient information, you should sign my agreement. After all, its my information and I'm responsible for it. Furthermore, you are not a covered entity and you are not required by law to have an agreement. Do you have a Notice of Privacy Practice? Of course not, but why would you follow part of the law and not all of it? I wonder if I'll have this same strong conviction when JCAHO sends me their agreement. Thanks, Leslie Harpe South Georgia Medical Center Valdosta, GA 31605 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> -----Original Message----- From: Ian Leedom [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 12:23 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: to sign or not to sign I also represent a software vendor in a similar situation. Our take has been that we must have Business Agreements (BA) with the CE's simply because we have access to PHI. It also means that at some level, we need to know who has in fact accessed things and when. I think that the fact that you have access to a DB which has PHI in it is enough to trigger all of the privacy rule in HIPAA . My problem, and I'd love to hear from others about this, is what sort of BA we should in fact have. We have enough clients that if we send every agreement from every client to our corporate attorneys then we'll be bankrupt before April. And you're right that some clients want indemnification for things which are THEIR business and for us to keep data even after a business contract has ended. If anyone has any to add to this, I for one would love to hear it. Ian Leedom Psyche Systems 321 Fortune Blvd. Milford, MA 01757 Tel: (508) 473-1500 x341 Compliments humbly accepted. Flames cheerfully ignored. -----Original Message----- From: Jim Randolph [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 11:39 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: to sign or not to sign Let me carry this a step further. We are a software vendor that has received BACs, TPAs and Chain of Trust agreements from different customers. As a vendor to this particular customer base we are exposed to PHI but never manipulate it in any way. Our support personnel do review setup configurations, billing problems or DB issues; but don't do anything to PHI. Attorneys and consultants are advising our customers so differently that no matter what, we end up being "the evil vendor." Some of the BACs we receive are rather ridiculous, like requiring us to assume financial liability if our customer has any HIPAA problems in the future. The question for the group is: What is required in this scenario a BAC, TPA or COT? Jim Randolph The Echo Group -----Original Message----- From: Traci Winter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 3:49 PM To: WEDI SNIP Privacy Workgroup List Subject: to sign or not to sign OK so the next question is do we sign these BACs or just put them in the round file. Your answers reflected what my impression was, but I wanted reinforcement. Thanks, Traci Winter --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org