1

I'm creating a website that is HIPAA related for contract work and want to make sure I dot all my i's.

I keep seeing Business Associate contracts on the internet, but so far I have not seen anything amounting to a non-business associate contract. Does something like that exist? If not, should I make one up basically stating that

1) I'm not a Certified HIPAA Security Professional (CHSP) and as such cannot be expected to provide advice on HIPAA security outside of definitions of HIPAA security rules (164.312 Technical safeguards).

2) Code created by me will adhere to HIPAA security rules (164.312 Technical safeguards) to the best of my ability and understanding but it is up to CLIENT to have such code validated and modified as needed by a HIPAA security expert for its legality in accordance with HIPAA laws.

3) I will not have access to PHI information personally and will not have access to the website after it is published.

Does that sound right? Would any of that hold up?

Element Zero
  • 115
  • 6

1 Answers1

0

The main thing here is to see whether or not YOUR COMPANY have an obligation to be HIPAA compliant. In this case, it would be your customer (that requires the services) that has this obligation and not you as a contractor, since you are merely making a website for them. They would be the ones that need to do the audits to make sure that they are HIPAA compliant, not you.

Another item to look at is to see the definition of a Business associate and of a Business associate agreement (BAA). These generally are involved in creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity. Since you are not transmitting PHI then HIPAA compliance does not concern you. If your client asks you to be HIPAA compliant when you are not handling PHI they do not know what they are talking about.

You should also not be looking for something that does not exist (a 'non Business associate agreement').

NASAhorse
  • 310
  • 1
  • 7