The Medical Center may permit business associates access to Electronic Protected Health Information (EPHI) if a written agreement exists between the covered entity and the business associate that provides assurance the business associate will safeguard the information. The HIPAA Security Rule Organizational Requirements for Business Associate Contracts and Other Arrangement (ยง 164.314(a)(1)) standard states "Contracts between covered entities and business associates must provide that business associates will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity."


To ensure agreements between business associates and the Medical Center are developed and executed according to Medical Center policies.


This standard applies to all 3rd parties (i.e. vendors, students, etc.) who require access to Medical Center information systems and resources.


The Medical Center may permit a business associate to create, receive, maintain, or transmit Electronic Protected Health Information (EPHI) on its behalf only if there is a written agreement between the covered entity and the business associate that provides assurances that the business associate will appropriately safeguard the information.  Development and execution of these agreements will be coordinated by the Medical Center Procurement Office.

The transmission of EPHI to a health care provider concerning the treatment of an individual does not require a business associate agreement.

Document Supporting Resources