Security Policies & Procedures
Section 8 - Business Associate Contracts and Arrangements
|Title: Business Associate Written Contract and Other Arrangements||Policy: SEC-08.01|
|Category: HIPAA Compliance||Authority: 45 CFR §
HIPAA Section: 164.308(b)(1)
|Standard: Business Associate Contracts and Other Arrangements||Responsibility: Health Care Components|
|Effective Date: 04/20/2005|
|Approved by: OSU Legal Counsel||Revised: 7/1/2013|
To ensure the confidentiality of all PHI when there is a need to secure services from outside entities in the process of treatment, payment and operations.
OSU will document the satisfactory assurances required by The Security Rule through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a) Business Associate Contracts or Other Arrangements. §164.308(b)(3)
OSU will seek to obtain Business Associate Agreements (BAA), or other arrangements with every person or entity that will have access to PHI where required by law.
The HIPAA Compliance Office will work with the OSU Tulsa Business Affairs office in maintaining an up to date list of all known BAA’s, and will also work to keep the actual BAA document up to date with all applicable laws and regulations.
This list of current Business Associates is accessible on the Business Affairs website.
This list should be checked before signing contracts or make arrangements with others to see if a BAA is on file. If not, a BAA must be in place before services are to be provided.
All BAA’s will be stored on file at the Business Affairs Office, and will be made available for review upon request.
The Procedure from the Business Affairs Office is as follows:
EXAMPLES OF SOME SERVICES THAT REQUIRE A BUSINESS ASSOCIATES AGREEMENT (This list is not all-inclusive. Please contact the Compliance Office if you need assistance in determining the need for a BAA and/or Addendum.)
Mail and parcel carrying services such as USPS, FedEx, UPS, etc., are not Business Associates, and should not have any access to PHI other than delivery.
In the event of a breach by any Business Associate, OSU expects the Business Associate to comply with Subpart D, the Breach Notification Rules §164.400-414 of HIPAA.