For SaaS products that do not contain VA-owned data*, there is now an expedited process that does not require a traditional VA authority to operate (ATO). Criteria include the following:
- User owns a device (even if VA paid for the purchase of the device) such as a CPAP or glucometer that uses a SaaS product to share patient data (non-VA data*).
- SaaS product has no direct connections or interfaces to VA systems or network.
- Users consent to share their data (which may include PII and PHI) directly with the SaaS provider.
- SaaS providers must have published terms and conditions for user consent.
- VA providers access data in a view-only mode or with limited functionality per the user’s consent.
*According to Circular a130, anything that VA creates, collects, processes, maintains, disseminates, or disposes of by or for the federal government is considered federal information (VA data).
VA providers may not enter any VA information into this product; it must adhere to no VA data standards mentioned above.