Effective Date: December 2016
It is the policy of the Columbia University Healthcare Component (CUHC) to obtain a Business Associate Agreement (BAA) from a business vendor, service provider or an individual that will have access to protected health information (PHI).
Reason(s) for the Policy
Columbia University is required by the HIPAA Privacy and Security Rules to obtain satisfactory assurances that protect health information will be appropriately safeguard by a business vendor, service provider or other individual that will create, receive, maintain, store or transmitted protected health information on behalf of the CUHC.
CUHC workforce members shall not disclose PHI to a business vendor, service provider or any other non-workforce member without a fully executed Business Associate Agreement (BAA) or other appropriate authorization.
This policy defines when a business associate agreement (BAA) is required, the procedure to complete a BAA and the responsibilities for CUHC business units when a BAA is obtained.
Primary Guidance to Which This Policy Responds
HIPAA Rules 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)
Responsible University Office & Officer
Office of HIPAA Compliance, Privacy Officer
To see the full text of this policy, please use the link on the right.