Use and Disclosure of PHI with Business Associates

Statement of Policy

Washington University and its member organizations (collectively, “Washington University” or “WU”) are committed to conducting business in compliance with all applicable laws, regulations and WU policies. As part of this commitment, WU has adopted this Policy to ensure that WU’s Business Associates and their employees comply with applicable federal, state, and local laws, regulations and WU policies.

Scope of Policy

This Policy applies to all Uses of Protected Health Information (PHI) by and all Disclosures of PHI to Business Associates of WU.


1) General Rule.

WU and members of its Workforce may Disclose PHI to a Business Associate and/or permit a Business Associate to create, receive or Use PHI on behalf of WU ONLY IF a Business Associate Agreement, a copy of which is attached as Schedule 1, has been fully executed by WU and the Business Associate. Any amendments or modifications to the Business Associate Agreement must be reviewed and approved by the Privacy Officer and Office of General Counsel.

2) Examples of Business Associates.

Business Associates are persons who are not members of WU’s Workforce but who are providing services to or on behalf of WU in its role as a Health Care Provider or Health Plan and the provision of those services involves the Use or Disclosure of PHI. Such services might include billing or claims processing; data analysis, processing or administration; utilization review; quality assurance; benefit management; practice management; data aggregation; financial services; actuarial, legal and accounting services; and accreditation. Business Associates may include, among others, management, administrative or clerical personnel (if not WU employees); temporary staffing agencies; transcriptionists (if not WU employees); law firms; accounting firms; benefit management companies; third party administrators; collection agencies; expert witnesses; billing companies; and information systems service providers and other types of consultants Business Associates also include Health Information Organizations, E-prescribing Gateways, and other persons that provide data transmission services with respect to protected health information to a covered entity and that require access on a routine basis to such protected health information. A covered entity may be a business associate of another covered entity if they are providing services to the covered entity for purposes other than treatment.

3) Breach of Business Associate Agreement.

If WU or any member of its Workforce becomes aware of a material breach of the Business Associate Agreement by a Business Associate or a subcontractor of the Business Associate, the Privacy Officer must be notified of the breach immediately. WU will take reasonable steps to cause the Business Associate to cure the breach or end the violation. If such steps are unsuccessful, WU must: (i) terminate the arrangement with the Business Associate, if feasible; or (ii) if termination is not feasible, report the problem to the Secretary of the Department of Health and Human Services.

4) Exceptions.

a) Treatment.

This Policy does not apply to Disclosures of PHI by WU to one or more Health Care Providers, including without limitation BJH and SLCH, for Treatment of the Individual to whom the PHI relates.

b) Medical Staff Membership.

WU faculty as non-employed members of the medical staff of BJC facilities are not by virtue of such status alone considered Business Associates.

5) Responsibility of All WU Workforce

Every member of the WU Workforce is responsible for being aware of, and complying with, this Policy. Questions should be directed to the Privacy Officer.


Creation Date: November 22, 2002
Effective Date: April 14, 2003
Last Revision Date: January 29 2003; August 29, 2013