 |
||||||||
 |
||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
HIPAA HomePrivacy
SecurityResearch
Additional ResourcesAbout This Web SiteNOTE: You will need the free Acrobat Reader to view and print PDF files.
|
HIPAA Business Associate Agreements The HIPAA Regulations reflect the understanding that a covered entity, such as the University of California, often requires the services of third parties ("business associates") to conduct its operations. A business associate is a person or entity that creates, receives, maintains or transmits protected health information ("PHI") on behalf of the University. A business associate relationship exists when an individual or entity, acting on behalf of the University, assists in the performance of a function, activity or service involving the use or disclosure of PHI. These functions, activities and services, to or on behalf of the covered entity, include:
The HIPAA Regulations require the University, as a covered entity, to have a business associate agreement ("BA agreement") whenever a non-University person or entity provides services to the University involving the use or disclosure of the University's PHI. HIPAA requires that agreements with business associates include specific provisions. The University has standard HIPAA BA agreements that should be used whenever a business associate agreement is required. The definition of PHI under HIPAA is broad and includes information relating to a person's health, the care received and payment for services maintained by or for the "covered entity." Within the University, the covered entity is comprised of its health care components, primarily University hospitals, clinics, physicians' offices, self-insured health plans, and student health services. PHI does not include health information in employment records maintained by the University in its role as employer. Please refer any questions concerning the necessity for a BA agreement in a particular situation to your campus privacy officer.
|