Business Associate Agreement

It is the policy of the Columbia University Healthcare Component (CUHC) to obtain a Business Associate Agreement (BAA) from a business vendor, service provider or a non-workforce member individual that will have access to Protected Health information (PHI) in compliance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Reason(s) for the Policy

The HIPAA Rule requires the organization to obtain satisfactory assurances that PHI will be appropriately safeguarded by a business vendor, service provider or other non-workforce member that will create, receive, maintain or transmit PHI for or on behalf of the organization.


Workforce members may not disclose PHI to a business vendor, service provider or any other non-workforce members without a fully executed BAA or other appropriate authorization.


This policy defines when a BAA is required, the procedure to complete a BAA and the responsibilities for the business units when a BAA is obtained.

Primary Guidance to Which This Policy Responds

HIPAA Rules 45 CFR § 160.103, 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)

Who is Governed by This Policy

All CUHC workforce members.

Who Should Know This Policy

All CUHC workforce members.

Exclusions and Special Situations

Researchers should follow guidance established by the Institutional Review Board (IRB) and the CUHC Policy on the Privacy Rule and the Use of Health Information in Research to determine if the data disclosure requires a HIPAA Business Associate Agreement.

  1. Each business vendor, service provider, or non-workforce member that creates, receives, maintains or transmits PHI for or on behalf of CUHC must establish a BAA in which the Business Associate is obligated to protect the privacy, security and confidentiality of such PHI in accordance with the HIPAA Rules.

  2. A list of potential Business Associates includes, but is not limited to the following:
    • Accreditation organizations
    • Billing, coding, and collection vendors
    • Quality assurance organizations
    • Consultants
    • Answering services
    • Shredding, destruction and/or documentation storage companies
    • Medical transcription services, including individual contractors
    • Health information exchanges
    • Patient satisfaction vendors
    • Personal health records vendors
    • Data processing firms
    • Application or third party service vendors
    • Law firms / attorneys
    • External auditors or accountants
    • Professional translator services
    • Software vendors

  3. Each department/program or business unit is responsible for identifying when a business vendor, service provider or non-workforce member will create, receive, maintain, or transmit PHI for or on behalf of the organization.

  4. Before submitting a new Business Associate Agreement for signature or inquiring about the need for a Business Associate Agreement, complete and submit a Business Associate Request Form (qualtrics.com) 

  5. Any department/program or business unit that establishes a Business Associate relationship with a business vendor, service provider, or non-workforce member is responsible for obtaining satisfactory assurances in the form of a BAA that the Business Associate will comply with regulatory requirements to appropriately safeguard PHI, including by protecting its confidentiality, integrity, and availability.  

  6. Weill Cornell Medicine, NewYork-Presbyterian, and Columbia University OHCA Business Associate Agreement (Cornell, NYP, and Columbia) participate in an Organized Health Care Arrangement (OHCA). An OHCA BAA may be required if the business vendor, service provider, or an individual will have access to, use or disclose Protected Health Information (PHI) from shared electronic health record (EPIC) or will provide a service to the three organizations. 

  7. The Columbia and OHCA BAA forms are available on the Privacy Office website: https://www.hipaa.cumc.columbia.edu/business-associates

  8. In general, Columbia does not permit changes to the standard HIPAA Business Associate Agreement.   If the Business Associate demands to modify the BAA template or does not agree that they are acting in the capacity of a Business Associate, the Business Associate Request Form must be completed before consulting the Privacy Office.  

  9. All BAAs shall be submitted to the Privacy Office for review and signature. The fully executed agreement is maintained by the department/program/business unit.

  10. Each department/program or business unit is responsible for maintaining a list of all its active BAAs.

  11. When a Business Associate relationship is terminated, it is the responsibility of the department/program or business unit to assure the return or destruction of PHI according to the terms of the BAA and in compliance with HIPAA Rules.  

  12. A list of all BAAs are available on the Privacy Office website: https://www.hipaa.cuimc.columbia.edu/business-associates (UNI required).

  13. Procurement will notify the department/program or business unit if any agreement; contract or business arrangement may require a BAA when processing a purchase orders or service agreements if a BAA is required pursuant to this Policy.

  14. Where a BAA is required, a purchase order, service agreement and/or contract will not be processed until a BAA is fully executed. 
    Responsibilities
    • Business Associate Agreement will be signed by the Chief Privacy Officer
    • The Privacy Office will maintain a list of all signed BAAs.
    • Department Administrators will ensure vendors meeting the definition of a Business Associate execute a HIPAA BAA before permitting access to PHI.
    • Each department/program or business unit is responsible for maintaining a list of all its active BAAs
    • Procurement will verify vendors have a BAA (when required) before processing a purchase order and periodically verify the status of their BAA relationships.
    Definitions

    Business Associate – A person or entity that performs certain functions or activities that involve creating, receiving, maintaining, or transmitting protected health information for or on behalf of the Columbia University Healthcare Component.

    Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

    Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.

    HIPAA Rules – The HIPAA Privacy, Security, Breach Notification and Enforcement Rules as amended from time to time 45 CFR 160 and 164.

    Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.

    Protected Health Information (PHI) is individually identifiable health information:

    1. Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
    2. Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;  (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.

    Workforce includes faculty, staff, students and other individuals whose conduct, in the performance of work for CUHC is under the direct control of CUHC.