Our EHR solution is partnering with another health related software company with a cloud based API product to provide additional solutions for providers. This is a seamless connection. Some PHI would be stored on the API cloud based system while our EHR would also store PHI either on the client server or the cloud.
I have several questions.
I am assuming that the business associate between our clients/providers and our company make our company responsible for the third party privacy and security of the data. Is that correct?
If the third party solution is maintaining HIPAA logging and our solution is also maintaining HIPAA logging and the client is asking for PHI related information would that require our company to coordinate requested information from both systems back to the client. Or does this now require a separate business associate agreement between our clients and the third party?