Managing Business Associate Arrangements When UW–Madison is the Business Associate

Layout for printing

Policy Number:

UW-117

Old Policy Number:

6.2

Responsible Office:

Office of Compliance

University Policy

Rationale/​Purpose:

In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections apply over and above the federal privacy standards.

Definitions:

Business associate

A person or entity not affiliated with UW–Madison that performs or assists in performing, for or on behalf of any unit in the UW–Madison health care component (UW HCC), business support functions/services that involve the use of protected health information (PHI). 

Note: A health care provider that assists in providing treatment to patients is not considered to be a business associate.

Business associate agreement

A contract entered into between UW–Madison and an external party that contains specific terms and conditions, as required by the HIPAA Privacy Rule, governing the use and disclosure of protected health information by business associates. For purposes of this policy, a business associate agreement refers to both a stand-alone contract with the required HIPAA language or a broader contract that incorporates the required HIPAA language with other provisions.

HITECH

The Heath Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to promote the adoption and meaningful use of health information technology.

Protected health information (PHI)

Health information or health care payment information, including demographic information collected from an individual, which identifies the individual or can be used to identify the individual. Protected health information does not include student records held by educational institutions or employment records held by employers.

Unit

A unit of the UW–Madison campus that has been designated as part of the UW HCC.

UW–Madison health care component (UW HCC)

Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW–Madison Health Care Component for a listing of these units.

UW–Madison privacy coordinator

The individuals within each unit delegated to, in collaboration with the UW–Madison privacy officer, ensure their unit’s compliance with the HIPAA Privacy Rule regulations and UW–Madison’s policies implementing those regulations.

UW–Madison privacy officer

The individual appointed by the university to be the privacy officer under 45 C.F.R. § 164.530(a)(1)(i) of the HIPAA Privacy Rule.

Scope:

Applies to all members of the UW HCC.

Policy:

Policy Summary

The HIPAA Privacy Rule and HITECH regulations permit a covered entity to disclose protected health information to a business associate and may allow the business associate to create or receive protected health information on its behalf if the covered entity obtains satisfactory assurance in the form of a business associate agreement that the business associate will appropriately safeguard the information. UW–Madison follows the HIPAA Privacy Rule when, in the role of a business associate, it receives protected health information from external parties that qualify as a covered entity. This policy prescribes procedures for handling such arrangements with external parties when UW–Madison functions in the role of a business associate.

Policy Detail

1. Any department, unit, or employee of UW–Madison (whether or not included within the UW HCC) who receives a request from an external party to sign a business associate agreement (either a stand-alone business associate contract or a broader contract incorporating business associate-type provisions) shall forward the business associate agreement to the appropriate office for review, as follows.
   1. If the agreement relates to an industry-sponsored extramural support agreement, it will be forwarded to the Office of Industrial Partnerships (OIP). If the agreement relates to a federally sponsored extramural support agreement, it shall be forwarded to Research and Sponsored Programs (RSP).
   2. If the agreement relates to an educational affiliation agreement, it will be forwarded to the Office of Legal Affairs.
   3. If the agreement relates to any other type of arrangement, it will be forwarded to the director of purchasing services.
2. The agreement should be forwarded along with any supporting documentation, including the Checklist for UW–Madison Business Associates described in III. below, regarding the department, unit, or employee’s arrangement with the external party. Agreements forwarded to Purchasing Services should also attach a completed Contract Approval Cover Sheet (form available through Purchasing Services).
3. No agreement will be forwarded for signature until the Checklist for UW–Madison Business Associates has been completed by the proposed business associate within the department or unit that received the agreement. The checklist includes:
   1. Certification by the business associate that they have reviewed the business associate agreement and understand theirr responsibilities under the agreement;
   2. Certification by the business associate that they have completed the business associate training module (must be completed at least once per calendar year);
   3. Certification by the Office of Campus Information Security that the business associate has received instruction on how to securely maintain the protected health information.
4. Upon receipt of the agreement and supporting documentation, the responsible office will investigate and analyze the arrangement and determine whether the agreement should be signed, amended, or rejected.
   1. If the agreement is to be amended or rejected, the responsible office will work with appropriate personnel in the department or unit that received the agreement to negotiate with the external party regarding the terms and/or necessity of the agreement.
   2. Signatory authority for business associate agreements is as follows:
      1. OIP and RSP agreements should be signed by appropriate personnel within OIP and RSP respectively.
      2. All other agreements should be signed by the director of purchasing services.
      3. Any other UW–Madison official with Board of Regents signatory authority may sign a business associate agreement if the agreement has been approved by the responsible office.
   3. The responsible offices will consult as necessary with the UW–Madison privacy officer and/or UW–Madison Office of Legal Affairs regarding these agreements.
5. Once executed, a copy of each business associate agreement and Checklist for UW–Madison Business Associates will be forwarded to the UW–Madison privacy officer.
6. Departments, units, and employees who are parties to a business associate agreement shall comply with the terms of the business associate agreement. Failure to do so may result in discipline, up to and including termination.

Consequences for Noncompliance

Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.

Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties. 

Related UW-Madison Policies:

UW-100 Designation of UW–Madison Health Care Component 

UW-116 Managing Arrangements with Business Associates of UW- Madison

Related UW–Madison Documents, Web Pages, or Other Resources:

Office of Compliance Policies and Forms

External References:

45 C.F.R. § 160.103

45 C.F.R. § 164.501

45 C.F.R. § 164.502(e)(1)(iii)

45 C.F.R. § 164.504(e)

Policy Administration

Approval Authority:

Vice Chancellor for Legal Affairs

Policy Manager:

HIPAA Privacy Officer

Contact:

HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077

Effective Date:

03-12-2003

Revised Dates:

07-20-2014: Effective date of the revised policy: 07-20-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.

Retrieved:

04-26-2024 19:00:27