Business Associates FAQs
What is a Business Associate?
A business associate (BA) can be any University vendor that either:
- receives protected health information (PHI) from the University, another BA, or as part of an Organized Health Care Arrangement (OHCA);
- provides accounting, accreditation, actuarial, administrative, consulting, data aggregation, management, financial, or legal services; or
- uses or discloses PHI on behalf of the University or OHCA.
To do business with a new vendor, you will need to complete the Business Associates Web Form and send a copy of the underlying contract between the vendor and the University to our office, either via fax at 305-243-7487 or email firstname.lastname@example.org. We will then determine if a business associate agreement is required and begin the process, if necessary.
Do I need to complete the form?
Yes, if you are the University employee responsible for doing business with the outside vendor and Purchasing has informed you that we do not currently do business with the vendor in question or the vendor has not yet signed an agreement, please complete the form in full. This is a one-time process. Once a BA agreement is on file, it is not necessary to complete this form again.
What is PHI?
PHI is any individually identifiable health information created or received by the University. Such information may relate to past, present, or future physical or mental health of a patient or research study participant. PHI either identifies or could be used to identify the individual and has been transmitted or maintained in any form or medium (electronic, paper or oral), such as patient demographics, medical record number, Social Security number, etc.
For more information about PHI, please see the related Security Awareness Tip and Privacy FAQ.
How long will it take to process the form?
The Office of HIPAA Privacy & Security processes most requests within two business days. If the vendor does not need to be a BA, we notify Purchasing and business may continue. If the vendor needs a BA agreement, our office sends the agreement to the vendor for signature and requests a certificate of insurance.
How long do vendors take to return the signed BA agreement?
It depends on the vendor. If the vendor requests changes to the agreement or insurance requirements, the time needed to process the paperwork could increase by weeks to months, as any changes may need approval from General Counsel, Risk Management, etc. If no changes are made, the entire process is often completed within a few weeks.
Are accreditation organizations business associates of the covered entities they accredit?
Yes. The HIPAA Privacy Rule explicitly defines organizations that accredit covered entities as business associates. Like other business associations, accreditation organizations provide a service to the covered entity which required the sharing of protected health information.
For more information
- University of Miami Glossary for HIPAA Security Policy and Procedure Manual
- HIPAA Requirements for UM Business Associates
You will be prompted to enter your User ID (Username) and Password in order to gain access to these items.