Business Associate (HIPAA)

doctor with tablet

HIPAA Compliance

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. In addition to insurance information, a major part of HIPAA addresses the privacy of patient’s health information, known as “Protected Health Information,” or PHI. PHI is information that is:

  • Sent or stored in any form.
  • Identifies the patient, or can be used to identify the patient.
  • Created or received by a covered entity.
  • Generally is about a patient’s past, present, and/or future treatment and payment of services.

How does HIPAA affect suppliers doing business with the university?

HIPAA requires that all business associates of the university sign confidentiality agreements. A business associate, in this case, is someone who does not work for the university but who needs access to patients’ protected health information (PHI) as part of conducting business.

In order for the university to share PHI with a business associate, a Business Associate Agreement (BAA) must be signed by both parties.


When is it necessary for a supplier to sign a Business Associate Agreement?


Business Associate Agreement with Supplier

Technical suppliers who have access to computer systems or databases containing PHI


Accreditation organizations


Temporary agencies that place personnel in areas where they may have access to PHI


Record storage facilities


Lawyers, accountants, consultants (non-university employees)


A non-covered entity with access to PHI (e.g. orthotics manufacturer)

Not required if the entity is also a healthcare provider

Suppliers who only have incidental access usually are not considered business associates (e.g., copy repair technicians)

Not required

Who should I contact if I have questions about my contract with the university?

Suppliers uncertain of their status as a business associate should contact the Procurement Services agent handling their current contract. Contact information for the procurement teams is available in Contacts.

Where can I find more information about HIPAA?

Visit United States Department of Health and Human Services.