User login


Business Associate Agreement

Effective Date:   December 2016



Policy Statement

It is the policy of the Columbia University Healthcare Component (CUHC) to obtain a Business Associate Agreement (BAA) from a business vendor, service provider or an individual that will have access to protected health information (PHI).


Reason(s) for the Policy

Columbia University is required by the HIPAA Privacy and Security Rules to obtain satisfactory assurances that protect health information will be appropriately safeguard  by a business vendor, service provider or other individual that will create, receive, maintain, store or transmitted protected health information on behalf of the CUHC. 


CUHC workforce members shall not disclose PHI to a business vendor, service provider or any other non-workforce member without a fully executed Business Associate Agreement (BAA) or other appropriate authorization.


This policy defines when a business associate agreement (BAA) is required, the procedure to complete a BAA and the responsibilities for CUHC business units when a BAA is obtained.  


Primary Guidance to Which This Policy Responds

HIPAA Rules 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)


Responsible University Office & Officer

Office of HIPAA Compliance, Privacy Officer




To see the full text of this policy, please use the link on the right.