business associate agreement

Luke Schierer lschiere at pidgin.im
Mon Jun 1 17:02:54 EDT 2015 

EVERYTHING that you do on a computer is submitted through your operating system. If you type protected information on the keyboard, the OS is responsible for transmitting that information to the application.  If you save protected information to disk, the OS plays a part in moving that information from memory to storage.  So on and so forth.  

When I am responsible for implementing protection of information, the considerations MUST include the operating system. 

But the base question is I suppose adequately answered.  You are planning on transmitting PII data using Pidgin, and you feel that raises it to the level of needing an agreement.

So we'll put aside the Operating systems for a moment, and focus in on the transmission of that data.

You type it into Pidgin sure, but using which service? 
* have you deployed a Jabber server within your office? If so, do you have an agreement with your jabber server software provider?
* Are you using AIM? Do you have an agreement with AOL?  Their servers would be able to record the messages sent.
* Are you using MSN? Then we come back to an agreement with Microsoft.
* Yahoo?  so on.

OTR will help you with this by (essentially) creating an encrypted tunnel between the two Pidgin IM clients, but given that the service servers can intercept, mutate, and record your messages, I would want to have some assurance that you have your bases covered.  

Luke

On Mon, Jun 01, 2015 at 03:35:42PM -0500, Catherine Galle wrote:
> Luke,
> 
> Yes we are required to have a 'BAA' with our appointment scheduling
> software. We do not have to have an agreement with Windows as nothing that
> is considered electronic protected health information is submitted to or
> through them.
> 
> Sincerely,
> Catherine
> 
> On Mon, Jun 1, 2015 at 1:58 PM, Luke Schierer <lschiere at pidgin.im> wrote:
> 
> > Do you need a similar agreement with Microsoft for your use of Windows?
> > Word? Excel?
> > Do you need a similar agreement with the vendor of your appointment
> > scheduling vendor?
> >
> > Basically, I highly doubt that HIPPA requires that you sign a "business
> > associate agreement" with every software vendor you use.
> >
> > Luke
> >
> > On Mon, Jun 01, 2015 at 01:26:53PM -0500, Catherine Galle wrote:
> > > Hello,
> > >
> > > We are interested in using pidgin with the otr plugin for messaging
> > between
> > > staff, as pidgin-otr has high ratings/reviews. We are a doctor's office
> > and
> > > therefore governed by the rules of HIPAA. Would it be possible to get a
> > > business associate agreement between our company and pidgin?
> > >
> > >
> > >
> > > Sincerely,
> > > Catherine
> >
> > > _______________________________________________
> > > Support at pidgin.im mailing list
> > > Want to unsubscribe?  Use this link:
> > > https://pidgin.im/cgi-bin/mailman/listinfo/support
> >
> >

> _______________________________________________
> Support at pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://pidgin.im/cgi-bin/mailman/listinfo/support

More information about the Support mailing list