Where are the pictures/documents stored? I'm assuming (please correct me) that this is a web application of some kind. If the documents are stored at the vendor's site/database/server, then even if they don't have actual access to the data then Yes, a BAA should be in place since they are "receiving/transmitting/maintaining" your ePHI.
Scot Lovejoy RPh. CFP CHC CHPC
Chief Pharmacy Officer
9 Campus Drive, 2nd Floor East
Parisippany, N.J. 07054
(O) 973-540-8400 x227
Confidentiality Notice: This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure. If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system. Thank you.
Alexander I Slosman, MHA, CHC, CHPC