I'm creating a website that is HIPAA related for contract work and want to make sure I dot all my i's.
I keep seeing Business Associate contracts on the internet, but so far I have not seen anything amounting to a non-business associate contract. Does something like that exist? If not, should I make one up basically stating that
1) I'm not a Certified HIPAA Security Professional (CHSP) and as such cannot be expected to provide advice on HIPAA security outside of definitions of HIPAA security rules (164.312 Technical safeguards).
2) Code created by me will adhere to HIPAA security rules (164.312 Technical safeguards) to the best of my ability and understanding but it is up to CLIENT to have such code validated and modified as needed by a HIPAA security expert for its legality in accordance with HIPAA laws.
3) I will not have access to PHI information personally and will not have access to the website after it is published.
Does that sound right? Would any of that hold up?