Business Associate (HIPAA)

HIPAA Compliance

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. In addition to insurance information, a major part of HIPAA addresses the privacy of patients’ health information, known as "Protected Health Information," or PHI. PHI is information that is:

  • sent or stored in any form;
  • identifies the patient, or can be used to identify the patient;
  • created or received by a covered entity;
  • generally is about a patient’s past, present, and/or future treatment and payment of services.

How does HIPAA affect suppliers doing business with the University of Michigan?

HIPAA requires that all business associates of the University of Michigan sign confidentiality agreements. A business associate in this case is someone who does not work for the University of Michigan but who needs access to patients’ protected health information (PHI) as part of conducting business.

In order for the university to share PHI with a business associate, a Business Associate Agreement must be signed by both parties.

When is it necessary for a supplier to sign a Business Associate Agreement?

Scenario Business Associate Agreement with Supplier
Technical suppliers who have access to computer systems or databases containing PHI Required
Accreditation organizations Required
Temporary agencies that place personnel in areas where they may have access to PHI Required
Record storage facilities Required
Lawyers, accountants, consultants (non-university employees) Required
A non-covered entity with access to PHI (e.g. orthotics manufacturer) Not required if the entity is also a healthcare provider
Suppliers who only have incidental access usually are not considered business associates (e.g., copy repair technicians) Not required

Who should I contact if I have questions about my contract with the University of Michigan?

Suppliers uncertain of their status as a business associate should contact the procurement agent handling their current contract. Contact information for the procurement teams is available in Contacts.

Where can I find more information about HIPAA?

Visit United States Department of Health and Human Services.