I don't see Julie's connection between the certification process described by Kepa and what the software vendor is proposing. The software vendor could possibly be providing the total extent of the IT capabilities of her covered entity customers. Who else could provide the testing on behalf of her customers in this case? The vendor, if testing with live data, should have a business associate agreement with the CE customer - perhaps one of the answers she's seeking. It's perfectly permissible for a CE to delegate testing to a business associate - the vendor here - even though it retains the ultimate responsibility for adhering to the TCS and privacy rule requirements.
And regarding Kepa's comment, why would a vendor business associate - if not otherwise a covered entity - have ever needed to file an ASCA extension? Hopefully, she did remind her customers to do so - as if it really matters! It would also be appreciated if Julie could give us some concrete examples of where state regulatory requirements might require customization within the standard transactions. Are these "customizations" something that the testing vendors could possibly validate against? Confused, William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "Julie Thompson" <[EMAIL PROTECTED]> To: "WEDI SNIP Testing Subworkgroup List" <[EMAIL PROTECTED]> Sent: Monday, 25 November, 2002 09:27 PM Subject: Re: New Issue from Issues Database While a good idea, similar to Claredi's certifcation model, the reality is that most implementations are customized due to state regulatory requirements+++. Therefore a software vendor should and could call themselves "HIPAA compliant", but each covered entitiy is responsible for their own compliance and must test independently. Sorry, guys :=( Julie A. Thompson V.P. Concio From: Kepa Zubeldia <[EMAIL PROTECTED]> Reply-To: "WEDI SNIP Testing Subworkgroup List" <[EMAIL PROTECTED]> To: "WEDI SNIP Testing Subworkgroup List" <[EMAIL PROTECTED]> Subject: Re: New Issue from Issues Database Date: Mon, 25 Nov 2002 16:06:06 -0700 John, Has this been discussed yet? Did this vendor file for the ASCA extension? Very interesting topic. Kepa ----- Original Message ----- From: <[EMAIL PROTECTED]> To: "WEDI SNIP Testing Subworkgroup List" <[EMAIL PROTECTED]> Sent: Thursday, 14 November, 2002 09:20 AM Subject: New Issue from Issues Database Hello everyone, This issue was recently added to the Issues Database and was assigned to our SWG. Please take a few minutes and review the issue. We can discuss this in our conference call today. Thanks!! Issue ASCA requires that compliance testing be preformed no later than Arpil 2003. I work for a software vendor who will supply the 4010 837 to hundreds of customer throughout the US. For testing purposes, may we, the software vendor, test on behalf of our customers? If so, would we be required to use each individual customer's data? Or, must each of our customers perform their own testing? If there are any more detailed rules, i.e., internal vs external testing, on this same topic, I would appreciate an explanation of the detailed rules as well. Thank-you _______________________________________________ John Lilleston Technical Supervisor Verizon Information Technologies, Inc. Healthcare Solutions 813-979-3225 [EMAIL PROTECTED] http://www.VerizonIT.com/ --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-testing as: [email protected] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
