HIPAA - Business Associate Agreements

Questions? Contact SCM Response Team

Overview

Information on HIPAA - business associate agreements

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

It is expected that all UCSF staff, faculty, students and trainees understand that it is their legal and ethical responsibility to preserve and protect the privacy, confidentiality and security of all confidential information, both patient and non-patient related, in accordance with federal and state laws; and University policies and procedures.

All staff, faculty, students and trainees are expected to access, use and disclose confidential information only in the performance of their University duties or when required or permitted by law. Additionally, all staff, faculty, students and trainees must disclose information only to persons who have the right to receive that information.

UCSF is required to secure all access to stored and transmitted Protected Health Information (PHI).

When Do HIPAA – Business Associate Agreements Apply?

With few exceptions, if a supplier uses, has access to, receives or otherwise is disclosed UC PHI, then that supplier must enter into a Business Associate Agreement (BAA) with the University of California (UC)

Things I Need to Know or Do

If your transaction involves a supplier using, accessing, receiving or otherwise being disclosed University of California PHI, you must choose HIPAA in the dropdown menu on the BearBuy form you are using. Then the requisition will route to a central buyer and Supply Chain Management (SCM) will set up a BAA with your supplier.

BearBuy Form to Use

  • After-the-Fact PO Form
  • Amount-Based PO Form
  • Capital Equipment Form
  • Non-Catalog Form
  • Professional Services/Independent Consulting Form
  • Software and Cloud Computing Form
  • Standing Order Amount Form

Version Date: May 2018