KUMC Managing Business Associate Arrangements
In accordance with 45 CFR §§ 164.502(e), 164.504(e), 164.308 and 164.314, this policy provides assistance and guidance to The University of Kansas Medical Center (KUMC) regarding identifying Business Associates (BA); ensuring that KUMC Health Care Components enter into a Business Associate Agreement prior to allowing a BA to access, use, disclose, or maintain Protected Health Information (PHI) on behalf of KUMC; and ensuring that KUMC enters into a BAA prior to conducting work for or on behalf of a Covered Entity (CE).
KUMC Health Care Components entering in a Business Associate Agreement and KUMC conducting work for or on behalf of a Covered Entity (CE).
Prior to contracting with any outside individual or entity, where the individual or entity will either have access to Protected Health Information (PHI) or collect and/or maintain PHI on behalf of KUMC, it is the responsibility of the using department or individual to contact the KUMC Privacy Official to determine whether the outside individual or entity qualifies as a Business Associate (BA). Once a determination has been made, each unit must verify that its BA execute a Business Associate Agreement (BAA).
A. Process for Negotiating and Executing BAAs with BA of KUMC in a Non-Research Context
1.Unit Specific arrangements and arrangements through KUMC Purchasing. Each unit shall be responsible for identifying all arrangements that require a BAA. The University Privacy Official and/or the Director of Purchasing or designee will assist the unit with negotiation of changes to the BAA.
B. Process for Negotiating and Executing BAAs when KUMC is the BA in a Non-Research Context
- Any department, unit, or employee of KUMC (whether or not included within the KUMC Health Care Component) who receives a request from an external party to sign a BAA (either a stand-alone or a broader contract incorporating business associate provisions) shall forward the BAA to the KUMC Privacy Official.
- The agreement should be forwarded along with any supporting documentation e.g. engagement letter, statement of work, etc.
- Upon receipt of the agreement and supporting documentation, the KUMC Privacy Official will review the arrangement. The KUMC Privacy Official shall work with appropriate personnel in the department or unit that received the agreement to negotiate with the external party regarding the terms and/or necessity of the agreement.
C. Process for Negotiating and Executing BAAs in the Research Context
- If the BAA is being entered into in conjunction with other study/grant agreements, for example, to provide for the creation of a limited data set by KUMC, for KUMC’s research purposes, a copy will be forwarded to firstname.lastname@example.org for logging, and also forwarded to the KUMC Privacy Official for review.
- The KUMC Privacy Official will provide the requested changes to the project manager negotiating the study/grant agreements, so that the changes can be negotiated together, in a coordinated fashion, by the project manager.
- The project manager will archive a copy of the BAA with the study/grant agreements (if applicable), and an executed copy will be provided to the University Privacy Official for archiving. The Privacy Official shall keep a copy of each BAA until 6 years after the agreement expires or is terminated.
D. Form of BAA. A template BAA is available from the KUMC Privacy Official. If the BA seeks to negotiate alternative language or presents its own version of a BAA, that alternative language must be approved by the KUMC Privacy Official, who shall consult with the Office of General Counsel if necessary.
E. Designated Signature
- Non-Research Context - Once negotiated, the BAA will be signed by the Vice Chancellor for Administration or another Vice Chancellor on behalf of KUMC
- Research Context - The BAA will be signed by an appropriate Vice Chancellor or the Associate Vice Chancellor for Research on behalf of KUMC.
F. Maintaining BAAs
- A copy will be archived by the KUMC Privacy Official for a period of six years from the time the Agreement expires or is terminated.
G. Termination of the BA arrangement. When KUMC’s relationship with the BA terminates, for whatever reason (e.g. early termination or end of contract term), the unit must:
- Facilitate a return of the PHI from the BA;
- Obtain a certification from the BA that it has destroyed the PHI; or
- If the parties agree that return or destruction is infeasible, obtain certification from the BA that it will continue to protect the PHI as required under the agreement for so long as the BA maintains the PHI.
KUMC Privacy Official 9313-588-0940
Business Associate (BA) means a person, entity, company or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.
Business Associate Agreement (BAA): A contract entered into between KUMC and an external party that contains specific terms and conditions, as required by the HIPAA Privacy Rule, governing the use and disclosure of protected health information by business associates. For purposes of this policy, a Business Associate Agreement refers to either a stand-alone contract with the required HIPAA language; or a broader contract that incorporates the required HIPAA language with other provisions.
Health Care Component: Those units of KUMC that have been designated by the University as part of its Health Care Component under HIPAA.
Privacy Official: The individual appointed by KUMC to be the Privacy Officer under 45 C.F.R. § 164.530(a)(1)(i) of the HIPAA Privacy Rule.
Protected Health Information (PHI): Health information that is “individually identifiable” and is transmitted or maintained in any form or medium, including electronic, paper and oral.
05/06/2016: Removed Date Last Reviewed
01/12/2016: New policy