How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site. Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Richard - Bizlaw Your Own Question
Richard - Bizlaw
Richard - Bizlaw, Attorney
Category: Business Law
Satisfied Customers: 10639
Experience:  30 years of corporate, litigation and international law
Type Your Business Law Question Here...
Richard - Bizlaw is online now
A new question is answered every 9 seconds

HIPAA compliance for software developer

Customer Question

We are a software development company that provides administrative software to educational institutions. We do not access students’ PHI however, when debugging a system, or providing service to our clients, we have the ability to access that information. After extensively studying the HHS website regarding HIPAA compliance we have concluded that we are a Business Associate. The purpose of this letter is to get confirmation from your office that we are a Business Associate and get the following questions answered. 1. Are we considered a Business Associate? 2. What do we need to do to be considered HIPAA compliant? 3. Is a Business Associate Agreement with our clients the covered entity the only requirement? 4. Do we also need to train our staff and write up policies for Privacy and Security?
Submitted: 6 years ago.
Category: Business Law
Expert:  Richard - Bizlaw replied 6 years ago.

bizlaw :

From what you say, your normal activities on behalf of the institutions would not require you to use or need access to students' PHI. What I gather arises is that in connection with debugging a system or providing certain services, you may have access to, but no need to use, students PHI. Whether you are a business associate under this circumstance is problematic but it is better to err on the side of caution. However, I do not believe you need to have a Business Associate Agreement with your clients.. What you do need to do is to train your staff and to establish clear corporate policy that if in the course of their duties, they have access to or in any way use PHI, they cannot disclose what they see to any person other than as necessary to disclose to a company associate in connection providing the service or making the repair and that associate is equally bound to maintain the confidentiality of that information. The policy and the basic procedures should be written. If this is done you will have met your HIPPA obligation and can assure your clients that you will maintain the privacy of the PHI on those rare occassions when you have access to or actually use such information in performing your services for the client.

If this answer is responsive to your question, please accept it. That is how we are compensated. It would also be appreciated if you provided feed back on your view of the answer. Finally, if the answer was especially helpful you can provide a bonus. If I can be of further assistance or you have other questions in the future you can ask for me and reach me at this site.

This communication is not intended as legal advice. A local attorney should always be consulted for legal advice. No client/attorney relationship is intended or created by this communication.