User login


Business Associate Agreement

Effective Date:   November 2018



Policy Statement

It is the policy of the Columbia University Healthcare Component (CUHC) to obtain a Business Associate Agreement (BAA) from a business vendor, service provider or a non-workforce member individual that will have access to Protected Health information (PHI) in compliance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).


Reason(s) for the Policy

CUHC is required by the HIPAA Rules to obtain satisfactory assurances that PHI will be appropriately safeguarded by a business vendor, service provider or other non-workforce member that will create, receive, maintain or transmit PHI for or on behalf of CUHC. 


CUHC workforce members shall not disclose PHI to a business vendor, service provider or any other non-workforce member without a fully executed Business Associate Agreement (BAA) or other appropriate authorization.


This policy defines when a business associate agreement (BAA) is required, the procedure to complete a BAA and the responsibilities for CUHC business units when a BAA is obtained.  


Primary Guidance to Which This Policy Responds

HIPAA Rules 45 CFR § 160.103, 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)


Responsible University Office & Officer

Office of HIPAA Compliance, Privacy Officer




To see the full text of this policy, please use the link on the right.