Are healthcare software vendors “business partners or business associates” in the HIPAA definition? Do they receive “protected health information” to perform a function for a “covered entity”?
In the traditional software vendor role in which the vendor provides software to a Payer/Provider client which is resident on the Payer/Provider premises and the processing takes place there, they would not be a business partner or business associate because the software vendor is not the recipient of Protected Health Information (PHI). You would need to be cautious to protect identifiable PHI (protected health information) if you were having a vendor trouble shoot a processing problem or if they were dealing with actual consumer data during installation. They would not have the need to know and you cannot assume that they would not care if the PHI was identifiable as you have in the past. Preparation of test data for use during installation will have to be done carefully. Masking the identifiable information before you have the vendor work with the data would probably be the best option, but could be a “choke point” to a process that needs to be quick and painless. In the new paradigm
Related Questions
- Are healthcare software vendors "business partners or business associates" in the HIPAA definition? Do they receive "protected health information" to perform a function for a "covered entity"?
- Does HIPAA allow CIGNA HealthCare to use protected health information (PHI) without my express authorization?
- What is "protected health information" under HIPAA?
