If you work with Protected Health Information (PHI), you have probably heard mention of a business associate agreement. At WashU, it is essentially a contract between WashU and a business associate concerning the handling of PHI.
Who is a Business Associate?
It is a person or entity outside of WashU who creates, receives, maintains, or transmits protected health information on WashU’s behalf. Some examples of WashU’s current business associates are BJC Health System, BOX Incorporated, and Zoom Video Communications Incorporated.
When would I need a BAA?
In order for WashU to comply with HIPAA regulations, there must be a business associate agreement in place with all trading partners and vendors where protected health information is shared. The business associate agreement ensures that business associates appropriately safeguard protected health information, and it clarifies and limits the permissible uses and disclosures of PHI by the BA.
How can I check if WashU has a BAA with someone?
WashU Purchasing Services maintains a list of all current business associate agreements. You can find the list on their webpage: HIPAA Business Associate Agreements. Refer to the “Status” column for details on each supplier, and please keep in mind that this list is subject to change. If you are unsure whether your project needs a BAA, you can reach out to the HIPAA Privacy Office for guidance.
How can I obtain a BAA?
The WashU employee who has a relationship with the vendor should forward a copy of the WU BAA template to their contact for review and consideration. Any proposed revisions to the template should be forwarded to the HIPAA Privacy Office for approval and signature.