Vendors providing services at CUIMC must have a Business Associates Agreement (BAA) if the service may create, store, maintain or transmit Protected Health Information (PHI), as per University Policy: https://universitypolicies.columbia.edu/content/business-associate-agreement
The CUIMC Privacy Office has information on their Business Associates page including a list of current vendors with executed agreements, and examples and templates of BAAs.
For those who need to determine whether a BAA is required, the CUIMC IT Project Management Office offers the following workflow (click the image for a larger view or see an outline of steps further below).
BAA Workflow Steps
- Will PHI be shared?
- No - no BAA is required
- Yes - Is there an existing BAA?
NOTE: If you are not sure please check the Privacy Office's list of vendors: https://www.hipaa.cuimc.columbia.edu/business-associates- Yes - workflow ends
- No - Will it be a Columbia BAA?
- Yes
- Send the Columbia BAA to the vendor for signature
- Submit Vendor signed BAA to the CUIMC Privacy Office
- BAA Review Process
NOTE: If the vendor wants to change the language of the BAA, negotiations with CU privacy and legal will be required.* - Fully Executed BAA
- No - Will it be an OHCA BAA?
- No (if PHI is being exchanged it must be either an OHCA or Columbia BAA; return to Yes above)
- Yes
- Submit the OHCA BAA request along with the service agreement to the CUIMC Privacy Office
- Columbia signed OHCA BAA and summary of services submitted to NYP PMO and WCM privacy for review/signature
- NYP PMO and Legal review and signature
- If needed, WCM privacy and legal review and signature
- The OHCA BAA with 3 institution signatures is sent to the vendor for signature
NOTE: If the vendor wants to change the language of the BAA, negotiations with CU, WCM, and NYP privacy and legal will be required. - Fully Executed BAA
- Yes
* Columbia prefers obtaining the vendor signature first, NYP prefers the vendor signing last.