Business Associate Agreement

It is the policy of the Columbia University Healthcare Component (CUHC) to obtain a Business Associate Agreement (BAA) from a business vendor, service provider or a non-workforce member individual that will have access to Protected Health information (PHI) in compliance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Reason(s) for the Policy

The HIPAA Rules require the organization to obtain satisfactory assurances that PHI will be appropriately safeguarded by a business vendor, service provider or other non-workforce member that will create, receive, maintain or transmit PHI for or on behalf of the organization.

Workforce members may not disclose PHI to a business vendor, service provider or any other non-workforce members without a fully executed BAA or other appropriate authorization.

This policy defines when a BAA is required, the procedure to complete a BAA and the responsibilities for the organizations business units when a BAA is obtained.

Primary Guidance To Which This Policy Responds

HIPAA Rules 45 CFR § 160.103, 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)

Who is Governed by This Policy

All CUHC workforce members.

Who Should Know This Policy

All CUHC workforce members.

Exclusions and Special Situations

Researchers that may be permitted to disclose PHI for research purposes should follow guidance established by the Institutional Review Board (IRB) and the CUHC Policy on the Privacy Rule and the Use of Health Information in Research.

  1. Each business vendor, service provider, or non-workforce member that creates, receives, maintains or transmits PHI for or on behalf of CUHC must enter into a BAA in which the Business Associate is obligated to protect the privacy, security and confidentiality of such PHI in accordance with the HIPAA Rules.

  2. A list of potential Business Associates includes, but is not limited to the following:
    • Accreditation organizations
    • Billing, coding, and collection vendors
    • Quality assurance organizations
    • Consultants
    • Answering services
    • Shredding, destruction and/or documentation storage companies
    • Medical transcription services, including individual contracts
    • E-prescribing gateways
    • Health information exchanges
    • Patient satisfaction vendors
    • Personal health records vendors
    • Data processing firms
    • Application service providers
    • Law firms /attorneys
    • External auditors or accountants
    • Professional translator services
    • Software vendors

  3. Each department/program or business unit is responsible for identifying when a business vendor, service provider or non-workforce member will create, receive, maintain, or transmit PHI for or on behalf of CUHC.

  4. Any department/program or business unit that establishes a Business Associate relationship with a business vendor, service provider, or non-workforce member is responsible for obtaining satisfactory assurances in the form of a BAA that the Business Associate will comply with regulatory requirements to appropriately safeguard PHI, including by protecting its confidentiality, integrity, and availability.

  5. Weill Cornell Medicine, NewYork-Presbyterian, and Columbia University participate in an Organized Health Care Arrangement (OHCA). An OHCA Business Associate Agreement (BAA) may be required if the business vendor, service provider, or an individual will have access to, use or disclose Protected Health Information (PHI) from a clinical information system including the shared electronic health record or will provide a service to the three organizations. The Privacy Officers will work with general counsel of the respective organizations to determine when an OHCA BAA is required.

  6. The BAA template (form) is available on the Privacy Office website:

  7. If the Business Associate requests to modify the BAA template or does not agree that they are acting in the capacity of Business Associate, the Chief Privacy Officer shall be consulted.

  8. All BAAs shall be submitted to the Privacy Office for review and signature. The fully executed agreement is provided to the department/program or business unit and a copy will be maintained in the Privacy Office.

  9. Each department/program or business unit is responsible for maintaining a list of all its active BAAs.

  10. When a Business Associate relationship is terminated, it is the responsibility of the department/program or business unit to assure the return or destruction of PHI according to the terms of the BAA and in compliance with HIPAA Rules.  The department/program or business unit must also inform the Privacy Office when a BAA relationship is terminated.

  11. A list of all BAAs is available via the Privacy Office website: (UNI required).

  12. Procurement will verify any agreement; contract or other business arrangement includes a fully executed BAA when processing purchase orders or service agreements where a BAA is required pursuant to this Policy.

  13. Where a BAA is required, a purchase order will not be processed and access to PHI shall not be granted until a BAA is fully executed. 
    • The Privacy Office will maintain a list of all signed BAAs.
    • Department Administrators will assure vendors meeting the definition of a Business Associate have a BAA executed before permitting access to PHI.
    • Procurement will verify vendors have a BAA (where required) before processing a purchase order and periodically verify the status of their BAA relationships.

    Business Associate – A person or entity that performs certain functions or activities that involve creating, receiving, maintaining, or transmitting protected health information for or on behalf of the Columbia University Healthcare Component.

    Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

    Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.

    HIPAA Rules – The HIPAA Privacy, Security, Breach Notification and Enforcement Rules as amended from time to time 45 CFR 160 and 164.

    Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.

    Protected Health Information (PHI) is individually identifiable health information:
    (1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
    (2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.

    Workforce includes faculty, staff, students and other individuals whose conduct, the performance of work for CUHC is under the direct control of CUHC.