HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. In addition to insurance information, a major part of HIPAA addresses the privacy of patients’ health information, known as "Protected Health Information," or PHI. PHI is information that is:
HIPAA requires that all business associates of the University of Michigan sign confidentiality agreements. A business associate in this case is someone who does not work for the University of Michigan but who needs access to patients’ protected health information (PHI) as part of conducting business.
In order for the university to share PHI with a business associate, a Business Associate Agreement must be signed by both parties.
|Scenario||Business Associate Agreement with Supplier|
|Technical suppliers who have access to computer systems or databases containing PHI||Required|
|Temporary agencies that place personnel in areas where they may have access to PHI||Required|
|Record storage facilities||Required|
|Lawyers, accountants, consultants (non-university employees)||Required|
|A non-covered entity with access to PHI (e.g. orthotics manufacturer)||Not required if the entity is also a healthcare provider|
|Suppliers who only have incidental access usually are not considered business associates (e.g., copy repair technicians)||Not required|
Suppliers uncertain of their status as a business associate should contact the procurement agent handling their current contract. Contact information for the procurement teams is available in Contacts.