Business Associate Agreement University

HIPC rules require the university, as a covered entity, to have a counterparty agreement (“BA Agreement”) when a non-academic person or body provides services to the university involving the use or disclosure of the university`s PHI. The HIPC requires that agreements with counterparties contain specific provisions. The university has STANDARD HIPAA-BA agreements that should be used whenever a counterpart agreement is required. Suppliers who do not have their business partner status should contact the Procurement Services Officer who is processing their current contract. For contact information for purchasing teams, see Contacts. In order for PHI University to share with a business partner, it is necessary for both parties to sign a business association agreement. When SOM divisions enter into agreements with external providers that involve the provider`s access or exposure to information considered PHI by the Health Information Privacy and Portability Act (PPTE), a BAA is required. The SOM is the covered entity (custodian of the information) and the counterparty is the seller (who provides services for the SOM). If you have any questions about the need for a BA contract in a particular situation, please contact your campus data protection officer. A counterparty agreement describes the permitted use, disclosure, restrictions and describes all security measures to protect any limited information that may be shared with the counterparty. HIPAA`s rules reflect the understanding that a covered company, such as the University of California, often requires the services of third parties (“business partners”) to carry out its operations. A business partner is a natural or legal person who creates, receives, maintains or transmits protected health information on behalf of the university.

A counterparty relationship is when a natural or legal person acting on behalf of the university contributes to the performance of a function, activity or service involving the use or disclosure of PHI. These functions, activities, and services for or on behalf of the covered company are not limited: HIPAA requires all of the university`s business partners to sign confidentiality agreements. In this case, a business partner is someone who does not work for the university, but needs access to patients` protected health information (PHI) as part of their business activities. Questions about counterparties or a counterparty agreement should be directed to the Data Protection Office at 801-587-9241. The definition of IHP in the HIPC is broad and includes information about a person`s health, care received, and payment for services provided by or for the covered business. Within the university, the covered unit consists of its health components, mainly teaching hospitals, clinics, doctors` offices, self-insured health plans and health services for students. PHI does not contain health information in employment documents maintained by the university in its role as employer. HIPAA represents the Health Insurance Portability and Accountability Act of 1996. In addition to insurance information, much of HIPAA is interested in the privacy of patients` health information, known as “protected health information” or PHI. PHI is information that means that counterparties must treat PHI appropriately and that they are particularly subject to HIPC security rules.

Counterparties are also subject to enforcement measures by public supervisory authorities when they do not comply with security rules. Click here for more information on the BAA process. If this is the case, the supplier must sign a Business Association Agreement (BAA) before carrying out any work. You can find BAA examples here, they are only used as references….