Vendors & Privacy: What you need to know
Covered entities are required to enter into a contract with the business associate under the HIPAA regulation to ensure that they will appropriately safeguard protected health information. A business associate is a person or company that performs or assist in the performance of a function or activity, on behalf of the covered entity, that involves the use or disclosure of Protected Health Information (PHI).
For example, a business associate can be any UHealth vendor that either:
- receives protected health information (PHI) from the University;
- provides accounting, accreditation, actuarial, administrative, consulting, data aggregation, management, financial, or legal services; or
- uses or discloses PHI on behalf of UHealth.
The University has carefully designed its business associate agreement (BAA) to include important protections to the University. If a vendor provides their BAA, please advise the vendor that must sign the University’s BAA, instead. Remember that the Privacy Office is always ready to assist you with vendors.
Departmental staff involved with processing vendor agreements are responsible for requesting a business associate agreement from the Privacy Office. A vendor may not create or receive PHI for or on behalf of the University until there is an executed Business Associate Agreement in place.
In order to obtain a BAA, departmental staff should complete the Business Associates Web Form located on the Office of Privacy and Data Security website.
If you need to verify whether a vendor is a business associate, please contact the Office of HIPAA Privacy and Security.
Frequently Asked Question
Q: How do I verify if a vendor meets the criteria of Business Associate?
A: Complete the Business Associates Web Form on the Privacy Office website and you will be contacted for the next steps.